We’re using a very old version of cert-manager, 0.5.2 to be exact. Today we found out that all versions less than 0.8.0 started being blocked on November 1st. This is negatively impacting our customers as we are a web hosting provider. New certificates requested as well as old certificates expiring aren’t getting renewed. We will be upgrading to the latest version of cert-manager immediately.
The reason for my post is that after reading the blog post that detailed the change I realized that we never got an email with the warning. I’ve confirmed that we provided the correct email when configuring our ACME account and was wondering why we never received the emails from Let’s Encrypt.
If I’m guessing your affiliation correctly, it looks like we did include you. Is it possible your spam filter caught our e-mails, or that you had unsubscribed from them in the past?
That’s a possibility. I regularly check for spam though, and can’t remember having seen emails from Let’s Encrypt. As for having unsubscribed in the past, it’s a possibility one of our engineers might have done that. Would it be possible to get resubscribed?
According to our ESP, all of our recent e-mails to your account’s contact address were soft-bounced. Unfortunately, they don’t give more detail (like the actual bounce message), so that’s all we’ve got to go on. Your best bet may be to modify your ACME registration to use another e-mail address.
We’re careful not to give or (dis)confirm user data here - even in private messaging, since your forum account isn’t authenticated against your ACME registration. Sorry about that!
If that’s the same e-mail address, I see it’s hosted with Google Apps. Our deliverability to there is usually very good.
Since our notification e-mails are sent using a controlled internal API, we can’t easily send you a representative test message that would match a real message’s source or content.
This is a tough one. We might have both done as much troubleshooting as we can. We’ll keep thinking this over on our side. In any case, switching to another e-mail address will probably work around whatever the problem is.
I’m afraid not - but if you have a cert under your ACME registration that’s about to reach 30 days before expiration, and you hold off renewing it, that will trigger a reminder e-mail.
Ok, I’ll configure a test certificate to expire in 24 hours and will have cert-manager only attempt to renew when there’s 1 hour left. Should this be enough to get notified?
We always issue for 90 days and it’s the cert’s real expiration date (not cert-manager’s internal state) that will trigger e-mail from our side, unfortunately. So, in order to trigger an e-mail, you’d need to identify a current certificate with the right date, and keep it from auto-renewing as soon as it usually would.
This might not be worth the effort for you. It’s very rare for us to block clients; if you keep up with cert-manager releases and watch our API Announcements topic here, you should be in good shape.
Gotcha. That sounds like a good compromise. We’ve upgraded cert-manager to the latest version and everything’s running smoothly. Thanks for all the help!