select cert.id, cert.not_after, dns.type, dns.token, cert.temp_parent from certificates as cert left outer join dns on cert.dns = dns.id where cert.active = 1 and (cert.auto_renew = 1 or cert.not_after IS NULL) and cert.renewing = 0 and cert.renew_failed = 0 and (cert.not_after IS NULL or DATETIME(cert.not_after, 'utc', '-30 days') < DATETIME()) order by cert.temp_parent, cert.not_after DESC NULLS FIRST