Monday, October 26, 2020

We received the following message:


Your certificate (or certificates) for the names listed below will expire in 20 days (on 08 Nov 20 18:49 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See for details.

For any questions or support, please visit Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at

The Let's Encrypt Team

This is because at some moment we requested a certificate covering those two domains. The certbot server worries because this certificate hasn’t been renewed. This is usually caused by a certificate that we requested some time ago but don’t use any more.

And indeed, we had these two messy certificates:

Certificate Name:
  Serial Number: 32fb6c0c2175f07bdf0cd3645ee8726ba42
  Expiry Date: 2020-11-15 03:16:22+00:00 (VALID: 19 days)
  Certificate Path: /etc/letsencrypt/live/
  Private Key Path: /etc/letsencrypt/live/
Certificate Name:
  Serial Number: 467fe5acafafcfed866554c353c5126404a
  Expiry Date: 2020-11-08 18:49:18+00:00 (VALID: 13 days)
  Certificate Path: /etc/letsencrypt/live/
  Private Key Path: /etc/letsencrypt/live/

The second certificate is not being used, and it is about the same two domains mentioned in our warning.

(master) luc@laudate:~$ grep /etc/nginx/sites-enabled/* /etc/nginx/sites-enabled/lists.conf: server_name; /etc/nginx/sites-enabled/lists.conf: ssl_certificate /etc/letsencrypt/live/; # managed by Certbot /etc/nginx/sites-enabled/lists.conf: ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot /etc/nginx/sites-enabled/lists.conf: if ($host = { /etc/nginx/sites-enabled/lists.conf: server_name;

There is another certificate which covers the lists subdomain. We removed an unused certificate on

$ certbot-auto delete --cert-name

It is a pity that the certbot warning does not give a unique id of the certificate. The only way to see whether their warning notice matches an existing certificate is to search for candidates.

And I guess that certbot delete command does not automatically notify the certbot server that they can delete this certificate. In other words they will bother us again about this certificate, maybe next week, and we will again spend some time to find out that we can ignore it. But ok, I also don’t see right now whether and how they would manage all use cases.

Another thing is: how can we tell certbot to notify also Hannes about certificate expirations? Answer: add hannes to postmaster. The default mail address on the acme server is