Would it be possible to include the IP with the domain in certificate expiration notices to avoid confusion over similar domains on multiple servers, please?
While I cannot say anything related to your actual feature request, as I'm not a Let's Encrypt employee (just a community volunteer), please note that the expiration emails should not be relied on from a professional perspective. They are send at a best effort. Rather should rely on your ACME system to automatically renew your certificates and also your ACME system should be able to notify you of any issues. Expiration emails from Let's Encrypt should only be an indication that something is severely wrong with your system.
5 Likes
Do you mean the IP that requested the cert? Or the IP that is currently using the cert?
Because LE doesn't check where you use a cert. It can't do that in all cases anyway.
I agree with Osiris though that you should be monitoring your active certs. There are many services that can check from the public internet. Or devise your own.
7 Likes
I agree. However, I've just had three servers all with one domain name. I've checked the real one but would have liked an indication as to which server it referred to, to reduce my investigation time.
Either, really, but the request IP would sufice.
I already have a certificate checking device installed but I also look at alternative notifications - eg the LE notice.
IMHO this is a pointless and bad idea for the reasons @MikeMcQ noted above, in addition to other facts like:
- Certificates are bound to a name - not an ip
- The DNS-01 challenge never knows the ip address of a web server
I don't believe this information would even be available for a large percentage users.
I don't believe this information would be useful to most users when the information is available.
6 Likes
Fair enough. Only a suggestion. Thanks for considering it.
3 Likes
You shouldn't get multiple certs for the same set of domains anyway, and you will only get an expiration notice for the latest one anyway. If you're using several machines to serve your site, best practice is to set up something to copy them over after creation.
1 Like
Thanks, I know about that.
The actual circumstances are: a web server failed; I ran up a new server with new certificates (unable to kill the old ones; no access). I have since received notifications for the old server but have had to track down which server the notifications applied to. I now understand it is unlikely that the IP would be available for this.
1 Like
Unless the key was compromised, there is no need to
4 Likes
I don't mean to sound argumentative but those "new" certificates must have had completely different set of domain names in them. Because if they had been identical it would have looked like a renewal and you would not have seen any expiry email.
Some people with small "clusters" like yours get a unique cert on each of their servers. Making a DNS entry for each ones hostname or other ID and adding that to the cert they get. The expiry email lists all the domains in the cert so would be easy to identify which server it applied to.
5 Likes
I'm afraid it doesn't. At least, I don't think so. It mentions something like "example.com (and 5 more)".
I don't think that's a good idea, but LE must have their reasons..
1 Like
I have to disagree. Below is a (modified) snip from an expiry email to me from staging in Apr2024
Details:
DNS Names: backup1.example.com
backup2.example.com
main1.example.com
main2.example.com
I have one from production July 2023 and it listed two although not formatted quite the same as the one from staging more recently.
Perhaps if there were a large number of domains it would truncate as you show. I have never seen that personally.
3 Likes
Hm, I can't find such an expiry mail myself indeed. With what am I mistaken then, I'm wondering 
1 Like
That's what is says in the mail's subject line, so you're not wrong. It does list more domain names in the mail body, though.
Yup, the mail templates Let's Encrypt uses were originally public, but unfortunately they no longer seem to be. There is (obviously) a difference in the templates between staging and production, but the variables are filled in the same way for both environments.
Looking at the code, we can see that it aggregates multiple soon-to-expire certificates for the same account. This can result in a lot of domain names, so the mail only lists the first 100 DNS names affected. If you have lots of expiring certificates or a few with lots of names, the mail may omit some, yes.
8 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.