Cert expiration notice (fail) + Q: many folders and files


#1

Hello,
i use letsencrypt on a shared virtual server webhost account. There works all fine, but, i have questions.
I have the expiration notice email get that the Cert ends. But the date is not entirely true. The Cert was first created on 6/16/2016. Plus 90 days = 09/14/2016. On this date, the expiration notice issued email.

25/08/2016

“Your certificate (or certificates) for the names listed below will expire in 19 days (on September 14, 16 15:10 +0000).”

09/04/2016

“Your certificate (or certificates) for the names listed below will expire in 10 days (on September 14, 16 15:10 +0000).”

On 07/19/2016 the Cert has been renewed. Since the web host account another subdomain were added. The new expiration date is now on 10/17/2016.

[example@server ~]$ list-certificates
common name: example.com
issuer: Let's Encrypt Authority X3
valid until: 2016-10-17 10:54:00 CEST
will be removed in 41 days.
alternative name: example.com
alternative name: blog.example.com
alternative name: www.example.com

That’s it.

My other question:
It created several versions of folders and files.
Now I would like to know which is the latest version that is actually used, and which can be deleted.
[EDIT: update folder/file-list with more details]

[example@server .config]$ ls -lahR 
.: 
total 12K 
Jun 16 18:05 .
Jul 28 18:45 ..
Jun 16 18:10 letsencrypt
 
./letsencrypt: 
total 36K 
Jun 16 18:10 .
Jun 16 18:05 ..
Jun 16 18:09 accounts
Jul 19 11:14 archive
Jul 19 10:50 cli.ini 
Jul 19 11:53 csr
Jul 19 11:53 keys
Jul 19 11:14 live
Jul 19 11:56 renewal
 
./letsencrypt/accounts: 
total 12K 
Jun 16 18:09 .
Jun 16 18:10 ..
Jun 16 18:09 acme-v01.api.letsencrypt.org
 
./letsencrypt/accounts/acme-v01.api.letsencrypt.org: 
total 12K 
Jun 16 18:09 .
Jun 16 18:09 ..
Jun 16 18:10 directory
 
./letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory: 
total 12K 
Jun 16 18:10 .
Jun 16 18:09 ..
Jun 16 18:10 xxx
 
./letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/xxx: 
total 20K 
Jun 16 18:10 .
Jun 16 18:10 ..
Jun 16 18:10 meta.json
Jun 16 18:10 private_key.json
Jun 16 18:10 regr.json
 
./letsencrypt/archive: 
total 16K 
Jul 19 11:14 .
Jun 16 18:10 ..
Jul 19 11:57 example.com
Jul 19 11:14 example.com-0001
 
./letsencrypt/archive/example.com: 
total 48K 
Jul 19 11:57 .
Jul 19 11:14 ..
Jun 16 18:10 cert1.pem
Jul 19 11:53 cert2.pem
Jun 16 18:10 chain1.pem
Jul 19 11:53 chain2.pem
Jun 16 18:15 full_cert1.pem
Jul 19 11:57 full_cert2.pem
Jun 16 18:10 fullchain1.pem
Jul 19 11:53 fullchain2.pem
Jun 16 18:10 privkey1.pem
Jul 19 11:53 privkey2.pem
 
./letsencrypt/archive/example.com-0001: 
total 24K 
Jul 19 11:14 .
Jul 19 11:14 ..
Jul 19 11:14 cert1.pem
Jul 19 11:14 chain1.pem
Jul 19 11:14 fullchain1.pem
Jul 19 11:14 privkey1.pem
 
./letsencrypt/csr: 
total 36K 
Jul 19 11:53 .
Jun 16 18:10 ..
Jun 16 18:10 0000_csr-letsencrypt.pem
Jul 19 11:14 0001_csr-letsencrypt.pem
Jul 19 11:43 0002_csr-letsencrypt.pem
Jul 19 11:48 0003_csr-letsencrypt.pem
Jul 19 11:51 0004_csr-letsencrypt.pem
Jul 19 11:52 0005_csr-letsencrypt.pem
Jul 19 11:53 0006_csr-letsencrypt.pem
 
./letsencrypt/keys: 
total 36K 
Jul 19 11:53 .
Jun 16 18:10 ..
Jun 16 18:10 0000_key-letsencrypt.pem
Jul 19 11:14 0001_key-letsencrypt.pem
Jul 19 11:43 0002_key-letsencrypt.pem
Jul 19 11:48 0003_key-letsencrypt.pem
Jul 19 11:51 0004_key-letsencrypt.pem
Jul 19 11:52 0005_key-letsencrypt.pem
Jul 19 11:53 0006_key-letsencrypt.pem
 
./letsencrypt/live: 
total 16K 
Jul 19 11:14 .
Jun 16 18:10 ..
Jul 19 11:53 example.com
Jul 19 11:14 example.com-0001
 
./letsencrypt/live/example.com: 
total 8.0K 
Jul 19 11:53 .
Jul 19 11:14 ..
Jul 19 11:53 cert.pem -> ../../archive/example.com/cert2.pem
Jul 19 11:53 chain.pem -> ../../archive/example.com/chain2.pem
Jul 19 11:53 fullchain.pem -> ../../archive/example.com/fullchain2.pem
Jul 19 11:53 privkey.pem -> ../../archive/example.com/privkey2.pem
 
./letsencrypt/live/example.com-0001: 
total 8.0K 
Jul 19 11:14 .
Jul 19 11:14 ..
Jul 19 11:14 cert.pem -> ../../archive/example.com-0001/cert1.pem
Jul 19 11:14 chain.pem -> ../../archive/example.com-0001/chain1.pem
Jul 19 11:14 fullchain.pem -> ../../archive/example.com-0001/fullchain1.pem
Jul 19 11:14 privkey.pem -> ../../archive/example.com-0001/privkey1.pem
 
./letsencrypt/renewal: 
total 12K 
Jul 19 11:56 .
Jun 16 18:10 ..
Jul 19 11:53 example.com.conf

#2

When you “renewed” the certificate on the 07/19/2016, you added a new subdomain. for the email notification system this means its’ a “new” certificate. i.e. there has not been one renewed with exactly the same certificate details, hence it emails you about the expiry of the certificate which has not been “renewed” in exactly the same form.

As for the folders. the ones in “live” are the latest versions - they will contains symlinks to the appropriate achive.

I’m not sure if the “example.com” or the “example.com-0001” is the one you are really using - I’m guessing that it’s the “example.com-0001” set, because you created a new cert, based on the same domain, but didn’t use the “-expand” option to add the additional subdomain, but rather created a new cert with new a new list of domain / subdomains.


#3

Hello serverco,

So the expire notice is not set to the renewed Cert? Or is it in the case not renew, but a completely new? Therefore, the two different folders?

I have edited the folder and file list in Topic. Now more details there are visible, as the date and symlinks. Please visit.


#4

The email expiry notification is done from letsencrypt, and knows nothing about the folders set up on your server. It purely goes on the dates, and details, of certificates you asked for.

Since you cot a completely new certificate, not a renewal, then yes - it’s telling you the original certificate is up for renewal. You can just ignore the email.

Correct, since you created a new, slightly different certificate (different subdomains) then it created a new folder.

Can you include in your domain name please, then I can look at dates etc.


#5

If I remember correctly, then I have added a new subdomain for web host account. Then I have the Cert renewed, but the new subdomain has not been included in the Cert. Then I have the Cert deleted (I think) and have it reinstalled.

I post my domains not like in support forums. Sorry. Can you tell me where I can find the dates? Respectively, how and where you can see which key accesses the Cert? I checked in Firefox and Chrome, but there no one sees it.

My next question would be: How do I delete a subdomain from the Cert?


#6

To examine the certificate for a live site from Firefox, visit the site, then click the small (most likely green) padlock near the top left of the browser, there should be text saying “Secure Connection” and a right-pointing arrow. Click this to display a small window about the security, and click “More Information” from there to see a big window of information.

The new bigger window has a button “View Certificate” and from the certificate view you will see the “Period of Validity” for the certificate presented by the site you’re visiting, as well as a serial number, and other details.

Certificates are signed documents, so you can’t delete things from them. But Let’s Encrypt is happy (subject to rate limits) to create and sign a new certificate for you, which contains whichever set of names you want so long as you can (as you did previously) prove you control those names. You can do this for more names, or less names, or just different names, but once again there are rate limits, so please don’t do this more often than necessary.


#7

Oh because, as I have already checked. It is the expiration date as I wrote it in the topic, the 17/10/2016.

But if every time a new Cert is issued, then that is still very confusing. I think it’s already confusing that there are several files, some of which are apparently outdated, so data trash.


#8

[quote=“serverco, post:4, topic:19539”]
The email expiry notification is done from letsencrypt, and knows nothing about the folders set up on your server. It purely goes on the dates, and details, of certificates you asked for. [/quote]
I do not understand that. The certificate is stored on but (my) webspace after it has been created by Letsencrypt. There, the expiration date is stored. Or where is the expiration date stored?

I have created a whole new certificate. So, I have all Letsencrypt folders and files on an (another) Webspace deleted and then created a new certificate. Now I still get “expiration notice” emails from Letsencrypt with the old expiration date.
What’s going on there?

Where is the expiration date stored?


#9

when you obtain a certificate from Let’s Encrypt, they retain the time and date of the certificate and when it will expire.

If you renew exactly the same certificate (the same domain names etc), then they will update their data for expiry date.

If you do not renew, or you obtain a certificate with different domain names on it (maybe just add an extra subdomain), then the expiry date in Let’s Encrypts records is not updated, and you will get an email telling you it will expire.


#10

Aha. So only when a real “renew” the certificate expiration date will be renewed. If deleting and subsequently re-create the certificate, the old expiration date is maintained? But then how do I get the new certificate expiration notices?

I had deleted before creating a new certificate both the folders and files of the old certificate and also deleted the imported old certificate.
The new certificate had other domains / subdomains.

Where is the expiration date stored?


#11

Maybe let me try to explain and see if it’s clearer this way.

The certificate is a signed (electronic) document, with the start and expiry dates (called notBefore and notAfter in the X.509 terminology of the certificates) written in that document. Maybe a bit like a permit from the government? To “renew” a certificate, Let’s Encrypt in fact makes a completely new document, with later dates in it, and signs that. So a “renewed” certificate has the same names in it, just different dates.

Certificates are public documents, Let’s Encrypt gives a copy to you, and they send a copy to the Certificate Transparency logging system, and they keep a copy. And of course when anybody visits your SSL/TLS server, you give them a copy too. If you delete your copy, the other copies still exist, and this is not a problem.

Now, as a service to its subscribers, Let’s Encrypt makes a separate note (not in the certificate but in a database they keep) when anybody obtains any certificate, remembering exactly what names were listed in the certificate and when it will expire. Every day they look to see if there are any combinations of names for which they issued a certificate 80 days ago (for example), but none since then. They reason that if this happens, the certificate was not renewed, and if they know the email of the person who asked for that certificate, they send out the “expiration notice” to warn them in case they needed that exact certificate.

They do not try to figure out if you meanwhile got some other certificates for similar names. Only certificates with the exact same set of names are counted as “renewals” in this calculation. So if you know that you meanwhile asked for and received a certificate with slightly different names (maybe more, or less, or just a bit different), then you will receive the expiration warning for the old certificate, but it need not worry you. If by accident the new certificate with the different names in is allowed to get close to expiring, Let’s Encrypt will send email about that too.

I hope this helped.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.