Cert expired but no email


#1

I had a cert expire yesterday but I never received an email. I had an issue when I tried to automate it before so I was waiting on the first warning email to run another test.


#2

Maybe you typo’d the email address? Or also, maybe the renewal was successful but some other aspect of your automation failed?

In the latter case, newer certificates would appear in the CT logs, and thus on https://crt.sh/ even though they weren’t installed on your server.


#3

No, my email address is correct and I’d received the warning emails for the previous expiration period, and I had disabled the automation during the previous cycle.


#4

Probably some overzealous spam filter? I’d strongly recommend monitoring the certificate lifetime of your actual site (there are various plugins for monitoring software, as well as free services for that purpose). Mails do get lost, and the check only works by looking at Let’s Encrypt’s records of certificates issued for your domain(s), as opposed to actually trying to connect and looking at the expiration dates.


#5

I thought at first it might have been caught by my spam filter that turned out not to be the case.

I need to correct the automated renewal and was putting it off until I got the first warning email.

I’m just letting people know that the expiration warning emails seems to be broken in case they were also doing the renewals manually for some reason. The last time I did get the warning emails even after renewing. Maybe whatever was done to fix that broken something else?

Do you have any recommended tools to monitor expiration? That’s something I definitely want to add.


#6

There are a number available. I use https://github.com/srvrco/checkssl


#7

The expiration mailer used to send out warnings even if you’ve already renewed a certificate with the same domain(s). That was fixed a couple of weeks back. Is that what you’re describing, i.e. you got as far as issuing the certificate, but the deployment automation was broken? Have you used crt.sh to search for other certificates for your domain(s) like @tialaramex suggested?


#8

No, I messed up on the previous renewal so had disabled it with the intention of fixing it when I got the first warning email for this renewal, so no renewals were attempted this time.


#9

Hello, i saw you had issue with automated the renewal process, i writes a python script that work well for me, here is my github if you’re interested: https://github.com/arist0v/LetsEncryptAutoRenew

If set up as i use, it renew the cert every 60 days, then send you an report e-mail on the renewal(so you can see if something fail, or if a service didn’t reboot as expected after the renewal.

Hope it could help you!


#10

I had the same issue, cert expired earlier this month and I never received an email.

I’m certain my email address is correct, so I’m not sure why this failed. Yes, I checked spam filters as well, nothing.


#11

Did you look up your domain on https://crt.sh/ to verify that no certificates were issued more recently?


#12

Yes, I see only one result, the original certificate issued Mar 3. I assume the renewal I just did tonight will show up soon.