ACME TLS-SNI-01 Email.. can we please include the domain


#1

I usually get emails when a certificate is going to expire, for servers that I haven’t set the crontab to auto-renew for. Can we please get the the domains affected, Let’s Encrypt certainly knows which domains have used this, and it would be super helpful to help track down which server is using the now deprecated method of authentication/validation/proof of ownership.


#2

Hi @scottconrad

your config files know the same.

  • Check if your Certbot is new, so http is used
  • check your config files if there is something like standalone or tls-sni

#3

Ah, standalone. I’ll log into all the servers i guess and see. It would be nice if it told you the affected domain, i get expiration emails for domains, I don’t see why this couldn’t happen for this too.


#4

I believe OP is talking about the email notification. If you are managing several domains, the email is not descriptive enough to point to the one that needs attention.


#5

Indeed, the reply is not useful at all. I received the Action Required email, with no domain mentioned. So I did a run dry on the webserver that uses certbot, both websites report using http-01. So exactly what triggered the email??? Include the domain in the email, it’s not difficult to do!!


#6

Agreed, just spent 30 minutes looking through logs on servers trying to work out who/what has triggered the email. For me it was anything setup standalone. eg
certbot certonly --standalone
and the renews are now
certbot renew --preferred-challenges http-01
I’ll have to wait and see till a cert actually needs renewing to know if that is correct or not.


#7

Another vote for including either the domain or the IP address of the client that made the tls-sni-01 renewal request. With a handful of sites using letsencrypt, it’s easy enough to check configs. With hundreds or thousands across different environments with different setups, it’s much harder to find the offending client.


#8

Yes please identify the domain in the email, I have 25 domains using letsencrypt certs.


#9

Please identify the offending domain names. Otherwise we’ll be wasting hours logging into every server to check.


#10

Could not agree more that the email should include the affected domains. I manage a handful of servers with close to 100 sites in total, and it’s impractical for me to go searching through that many config files when the information could have been reported in a detailed manner at the start.


#11

I don’t think there has been any proper validation done to insure the email provided is in fact the one responsible for the domain(s) in question.
So that may pose legal problems (GDPR, etc.) when notifying unknown parties about maybe someone else’s domain and information. And doing so through yet a third party email service and over (sometimes) insecure channels…


#12

But the domains are already listed in the renewal e-mails anyway.


#13

The emails go to whoever entered their info in the initial certificate request or whatever it is when you create the cert. We get expiration emails with the affected domains, and a message saying you have “X” days to update your certificate.

I do understand that this might be read as being lazy, but I always look at it as how many people are affected, and how much time would they collectively be spending to check all of their servers to see which one it has a problem with, adding the domain affected would be a huge win for developers everywhere, and hopefully something incredibly easy to add.


#14

We’re planning to do a second run with domain names included. Thanks for all the feedback!


#15

Received the new version of the email today, very helpful! Turned out to be a false alarm, in our case (already resolved by a certbot upgrade), but it was good to have the certainty.


#16

I’m very glad it helped, @patrickmkane!