BUG (?): Received an email for "expiring" certificates which are actually not

I have just received an email with a warning saying that some of my certificates are going to expire in 19 days. While I renewed them some time ago, and they are going to expire in December and January. I believe there is some lag in Let’s Encrypt system. Who would like to take a look?

Certbot doesn’t revoke the cert without explicitly using the revoke command. It’ll still send you reminders for any unrevoked certs, just in case you never got around to installing it, so there’s no good way to stop the notices even when they no longer apply. As far as I know anyway.

I don’t know… I’ve renewed SSL certificates a few times with Let’s Encrypt already, and I never received notifications after the certificates had been renewed till today. If there is a new certificate for the same domain name, it shouldn’t send any warnings, I believe.

Was the new certificate an exact renewal of the old cert ? or has anything changed (such as including the www. subdomain or something else). If the cert has changed ( because of added / removed domains) then you will still get an email.

If it’s the same, please provide the domain names so it can be looked into further.

No, nothing has changed.

Today’s email:

2:37 PM (8 hours ago)

to me

Your certificate (or certificates) for the names listed below will expire in 19 days (on 03 Nov 16 21:13 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.


Actual situation with certificates (renewed on October 9th):

PS Your forum doesn’t let me add more than 1 image to the post, but in regard to the other two names, it’s the same (renewed on October 9, 2016).

Looking at the public lists - https://crt.sh/?q=%.csbubbles.com

The certificates are often slightly different. For example the api cert in august ( https://crt.sh/?id=27061945 ) was both for the api subdomain and your main domain. in October when it was renewed ( https://crt.sh/?id=41360318 ) it was only for the api subdomain. Hence this was considered a different cert - and the warning email will be about the original cert.

The other subdomain certs also change slightly, hence why you are getting the emails.

Well, it’s still confusing for the end consumer. I believe you that it can be explained technically somehow, but, as a user of Let’s Encrypt product, I don’t really need to know about that stuff. If I have 3 valid certificates (for the main domain and its 2 sub-domains), it doesn’t really matter for me what happened before. The only thing that matters is that everything is perfectly fine now. The email told me that I should go renew something, while, in reality, I didn’t have to.

PS Again, I am talking from the end user perspective. I believe that’s the whole point of Let’s Encrypt ideology is to hide all the details regarding SSL certificate internals and make it as painless as possible for a dumb customer as myself.

Understood. For that requirement I’d suggest subscribing from those alerts and using one of the systems which checks the actual certs loaded on your websites - and alerts you via that route.

I received this message again today. And it was confusing again. I still believe it’s a bug in Let’s Encrypt notification system as it sends wrong messages… None of the certificates for the domain names listed is going to expire on the mentioned date.

Your certificate (or certificates) for the names listed below will expire in 9 days (on 03 Nov 16 21:13 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.


There are certificates for those hostnames that are going to expire on that date:

https://crt.sh/?id=27061945 (csbubbles.com, api.csbubbles.com)
https://crt.sh/?id=27061955 (csbubbles.com, media.csbubbles.com)

They haven’t been precisely renewed. On October 9, they were replaced with different certificates with slightly different sets of hostnames:

https://crt.sh/?id=41360350 (csbubbles.com)
https://crt.sh/?id=41360318 (api.csbubbles.com)
https://crt.sh/?id=41360369 (media.csbubbles.com)

As mentioned above, it’s a limitation of the notification system that it has no way to know that different replacement certificates supersede the old certificate’s need for renewal.

Edit: There can’t be a perfect solution. Let’s Encrypt has no way to know what you’re doing with the certificates. You may have stopped using the old one. You may be using the old one in Nginx, and the new one in Apache. Who can say? Only you. The best idea i can think of is a “stop notifying me about this certificate!” button.

I’ve generated new certificates for csbubbles.com, api.csbubbles.com, media.csbubbles.com through Let’s Encrypt. So Let’s Encrypt knows about new certificates for all three domain names. I mean there is a certificate generated for “api.csbubbles.com” on October 9, for example. The same for “csbubbles.com” and “media.csbubbles.com”. So, everything is fine. Whether there was something else stored in Let’s Encrypt for those domains or their combinations before October 9 is not relevant anymore. Which means there shouldn’t be any notification.

Exactly. Let's fix it and won't mislead the customer anymore.

https://crt.sh/?id=27061945 (csbubbles.com, api.csbubbles.com)

There are two domain names here. If you check whether there are certificates for each of them separately (you can handle that, I believe, as all that information is in your database) and they don't require renewal, then there is no need to send notifications. So, at least it looks like there is a way...

Yeah, they know you generated new certificates, but they can’t know for certain that you stopped using the old ones.

Here’s a contrived example: You run certbot on a server, and use the certificates in Docker containers. You decide to issue separate certificates for each container.

  • You create a container for an IMAP daemon with a certificate for mail.csbubbles.com.
  • A month later, you create a container for a web server. You create a separate certificate for csbubbles.com, www.csbubbles.com and a webmail app on mail.csbubbles.com.

You still need the older certificate. If it expired, your IMAP would break! Let’s Encrypt needs to notify you if it approaches expiration, even though you have a more recent certificate covering a superset of the old certificate’s hostnames.

Is that contrived? A little. Do 99% of people have a setup that complicated? No. But some do, and it would be unfortunate if they missed necessary notification emails.

There are three ways to handle it: 1.) Notify everyone, sometimes annoying people unnecessarily. 2.) Notify no one, sometimes resulting in actively used certificates expiring. 3.) Something in between, where notifications are optional and can be disabled per-certificate.

Let’s Encrypt is currently going with option 1, probably because it’s simplest to design and implement. I’d prefer number 3, and the dev team have probably thought about it, but it’s more complicated and they probably have more urgent issues to deal with.

(FWIW, i don’t personally represent Let’s Encrypt.)

Even in your example they still can detect whether all the domain names from the certificate were renewed separately. If mail.* wasn’t, then it makes sense to send a notification specifying the actual reason – the certificate needs to be renewed because one of its domains doesn’t have a fresh certificate. If for each of the domain names a new certificate has been created, then there is no reason to notify. I might be wrong, of course, and I have no knowledge about the notification system that Let’s Encrypt uses, but from the technical perspective it sounds like a pretty trivial task – iterate through all the domain names in the certificate and check whether they have separate certificates renewed already (and whether all of them or not).

You know, I am even not sure how I got those certificates with multiple domain names in the first place. But when I receive such notifications, it attracts my attention, I go check what I am supposed to renew, and realize that everything is actually fine, and I don’t need to do anything. My initial point was that the domains and their certificates are perfectly good, and that’s what I am concerned most. And the notifications about some old certificates which are not applicable anymore to my domains make me worry about irrelevant things. The request was to make the notification system a bit smarter (which might be not that hard).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.