Certificate expired notification

strarsis · May 18, 2021, 6:53pm

Currently one receives certificate expiry notifications that inform about an impending certificate expiration. It would be nice and very helpful to also receive certificate expired notifications for certificates that actually expired and don't work anymore.

Related GitHub discussion (closed in favor of discussion here):

github.com/letsencrypt/website

Expired certificate notices

opened 07:52PM - 12 May 21 UTC

closed 08:57PM - 12 May 21 UTC

strarsis

I am not sure whether this issue fits this repository and topic, so please give …me a pointer to the right place if it doesn't. Currently certificate expiration warnings are emitted a number of days before a LE certificate expires. But I don't think I see those expiration notices _after_ a certificate already expired, is that true that there isn't such a notification yet? Though I am already using some HTTPS monitors, such a feature would be still very useful, as in the past I had some issues with the certificate renewal and an expired certificate results in a negative warning/message for the visitors.

petercooperjr · May 18, 2021, 7:11pm

Well, according to their documentation, notices are sent at 20, 10, and 1 day before expiration. (Though in practice, I've only seen the 20 and 10 day notices myself, even for certificates that I didn't renew, but much of my testing is in the staging environment.) If by that point it hasn't been renewed, it's more likely to be the case of the certificate not being needed anymore (due to a site no longer being used, or due to a new certificate that exists but has more or fewer domain names on it) than the case of somebody got the earlier emails but didn't actually check that their automatic renewal was working right.

I guess I wouldn't really object to an additional notice at 0 days left or day-after-expiry, but I don't really think it would help many people. I'd rather effort on improving expiry notification be spent on making the notices better (like not sending at all if new certificates exist for the each name in the expiring cert even if it's not quite the exact same list of names). And even better would be improving the popular ACME clients such that if they were failing renewing day after day to be able to better alert server administrators.

strarsis · May 18, 2021, 7:56pm

Yes, I agree that it would be fine, as a compromise between Let's Encrypt becoming some kind of HTTPS monitor and not knowing whether renewal failed, to let LE emit one last expiration notification after the certificate definitely expired.

As a last line of defense a HTTPS monitor can be used. Sadly there aren't free HTTPS ones (the free tiers usually either only check over HTTP or don't check the certificate validity). The self-hosted HTTP(S) monitors also aren't really well-maintained.

Osiris · May 18, 2021, 8:36pm

What difference would that make compared to the current expiration e-mails? As if a sysop reading the "Your certificate is going to expire TOMORROW" would think "Meh... Let's wait.." and a day later reading "Your certificate has expired" thinking "OMG OMG I need to do something now!"?

That's a little bit weird.

In my opinion, any extra expiry e-mail is superfluous. It does NOT add anything functional to the already existing e-mails: the current e-mails are plenty.

griffin · May 18, 2021, 8:38pm

Death is coming... 20 days
Death is coming... 10 days
Death is coming... tomorrow
Death has come. Obituary?

system · June 17, 2021, 8:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.