diff --git a/src/notifications.js b/src/notifications.js
index 846ed08ba..d5e556bcb 100644
--- a/src/notifications.js
+++ b/src/notifications.js
@@ -251,7 +251,7 @@ async function onEvent(id, action, source, data) {
     case eventlog.ACTION_CERTIFICATE_RENEWAL:
     case eventlog.ACTION_CERTIFICATE_NEW:
         if (!data.errorMessage) return;
-        if (!data.notAfter || (data.notAfter - new Date() >= (60 * 60 * 24 * 10 * 1000))) return; // more than 10 days left to expire
+        if (!data.notAfter || (data.notAfter - new Date() >= (10 * 24 * 60 * 60 * 1000))) return; // more than 10 days left to expire
         return await certificateRenewalError(id, data.domain, data.errorMessage);
 
     case eventlog.ACTION_BACKUP_FINISH:
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index d878e1018..32029dd69 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -105,9 +105,12 @@ function getExpiryDate(certFilePath) {
     if (!result) return null; // some error
 
     const notAfter = result.stdout.toString('utf8').trim().split('=')[1];
-    debug(`expiryDate: ${certFilePath} notAfter=${notAfter}`);
+    const notAfterDate = new Date(notAfter);
 
-    return new Date(notAfter);
+    const daysLeft = (notAfterDate - new Date())/(24 * 60 * 60 * 1000);
+    debug(`expiryDate: ${certFilePath} notAfter=${notAfter} daysLeft=${daysLeft}`);
+
+    return notAfterDate;
 }
 
 // We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
@@ -422,7 +425,7 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
             if (currentBundle) {
                 debug(`ensureCertificate: ${vhost} certificate already exists at ${currentBundle.keyFilePath}`);
                 notAfter = getExpiryDate(currentBundle.certFilePath);
-                const isExpiring = (notAfter - new Date()) <= (60 * 60 * 24 * 30 * 1000); // expiring in a month
+                const isExpiring = (notAfter - new Date()) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
                 if (!isExpiring && providerMatchesSync(domainObject, currentBundle.certFilePath, apiOptions)) return callback(null, currentBundle, { renewed: false });
                 debug(`ensureCertificate: ${vhost} cert requires renewal`);
             } else {