(This is more a general question where the pre-filled form does not apply)
I have a few certificates that I had previously created and then either abandoned, deleted, or otherwise rendered defunct. I am now receiving "expiration reminder" emails about them. While I realize I could simply ignore these emails, that is a bad habit to form, especially since some of these are the same name as a cert that was re-created for the same domain. I'd prefer to be able to "clean up" this reminder list.
So, my question is perhaps twofold:
Is there a way to see a canonical list of what Let's Encrypt thinks are my currently-valid certs, and if so, is there a way to prune this list if some of these certs have been deleted(etc)?
What is the "proper" way to delete/abandon a certificate and not get renewal reminder emails for it? Consider a situation where the certificate information may have been lost (e.g. drive failure, etc)
Let's Encrypt won't send reminders for revoked certs, IIRC. But ordinarily, the only reason you'd want to revoke a cert is compromise of the private key. But LE has no way of knowing if you've deleted a cert, and thus you get the reminders--three of them.
You can use a tool like this (link here) to see your cert history. Although, Let's Encrypt won't know what you consider "currently valid". That is, is the cert expiring because you don't need it anymore or is it expiring because of a failure to renew it? Only you can know that.
There are only two warning emails. One 20 days and one 7 days before expiry. They will not persist like often happens with paid certs.
Currently, Let's Encrypt indeed has no way of knowing whether a certificate is no longer needed.
In the future, this may become a possible use case for ARI. Clients like certbot could use ARI to set the certificate's replaced status to true when
expanding or shrinking an existing certificate
deleting a no longer needed certificate
The ACME server (Let's Encrypt) could then use this information to stop sending renewal reminders for the affected certificates.
Note that Let's Encrypt does not currently implement this functionality (updating cert replacement status), so even if a client would do this, it wouldn't work as of today. But in the future this may become a viable workflow to enhance the renewal mailer.
I definitely don't want to unsubscribe from the notifications, but I also do not like "ignoring" notifications. As I said, that is a terrible habit to get into, as you become de-sensitized to them. I want my notifications to mean something.
Anyway, the main issue in my case was some certificates had been created either standalone or with the "wrong" plugin, and I believe I had simply deleted them via certbot. Yes, I now realize that is not the correct thing to do, but I didn't at the time. (I now also know you can just go in and edit the conf file for renewal, etc)
I just want to know if there is a way to get a list of certificates associated w/ my specific email/account, and then be able to "prune out" those that I know are defunct. (I realize LE has no way to know; this is why I want to be able to prune this, myself ) I suppose this might need some sort of authentication, however, since the fingerprint/etc for some of the defunct certs may not be available any more (e.g. in the case of deletion or a drive failure, etc). I'm only mentioning that because I realize it might be hard to provide this functionality w/o a bad actor going in and disabling reminder emails for actually-in-use certs.
ANYWAY - if the current answer is "no", I will obviously just "deal with it" It would be interesting to explore the ability to do this, but like I said above, I suppose it might be tricky.
Perhaps adding more detail into the email address used.
Each cert can have its' own email address.
Which all can reuse the exact same email address.
hmm... Then how is that unique?
The magic happens with a small trick called Plus Addressing (a.k.a. Disposable Email Addresses)
Where one single email address can be "shared/re-used/sub-divided/overloaded" in countless ways. user@example.com
Can become: user+server1@example.com user+acme2@example.com user+April2023@example.com user+client4@example.com user+testing5@example.com user+random6@example.com
...
And all will land into the same email inbox: user@example.com
Any one of those can be unsubscribed without affecting any of the others.
This is an interesting solution, assuming your email provider supports sub-addressing (most should).
THAT said, I would need to remember to change my email address each time I register a cert for a new domain. Not impossible, but just something to remember
Does email address used for cert two update the email address already entered for cert one?
So that there can only be one email address per account?
Or is there one email address remembered per issued cert?
Heh - yeah, that makes things a bit more untenable; having to essentially create separate accounts per cert.
I'm still trying to think if there is actually clean (safe/secure) way to present all the registered certs to an accountholder, and let them select/deselect ones they want reminders for. Hmm...
There are many cert monitoring services available. You can even develop your own.
This wouldn't rely on the Let's Encrypt emails. They also ensure the systems you setup are running correctly which is something you don't get with the LE emails. Sometimes people renew their certs correctly but don't update their web service so get an expired cert error eventually.
You basically list the domain names you want to monitor. Then you, or the service, connects to that domain and checks its cert. You setup how/when you want to be alerted (cert expiry, domain access failure, timeouts, ...).
The title of this thread is "reminder email for deleted/defunct certs". With a monitoring tool you wouldn't have to care about those. You just monitor the ones that should be active and the defunct ones will just expire naturally.
I suppose I should have entitled this "controlling/tailoring reminder emails from LE..."
My question was really about the ability to tailor said emails.
I already do my own monitoring, but certs expiring is a pet peeve of mine, so I'd prefer additional reminders if possible. But, I don't want "noise" (notifications for defunct certs).
I guess my point is: I wasn't wanting to disable the LE alerts, but just "clean them up".
But I understand that's not really possible right now, so that's fine. All good
Yes, thank you; I know
I was just explaining to the other respondent that that's what I had meant when I was writing this post.
It had seemed clear enough since others had responded as I had expected (since I explain in the post what is going on), but I will edit it to make sure it's clear to everyone who might choose to only skim the content of the post.
Noise is inevitable.
This tends to usually happen at the start of a new cert - i.e. testing not being done in test environment.
And definitely at the end of cert use.
Maybe keeping a list of what is expected [and when] could ease your mind when those notifications arrive.
button on that post.
