Domain Renewal Email in Staging but our cert is PROD

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eks-dashboard.k8.myotp.rocks
The operating system my web server runs on is (include version): linux
My hosting provider, if applicable, is: AWS, managed Kubernetes

Received an email:

You issued a testing cert (not a live one) from Let’s Encrypt staging environment. This mail takes the place of what would normally be a renewal reminder, but instead is demonstrating delivery of renewal notices. Have a nice day!

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

Details:
DNS Names: eks-dashboard.k8.myotp.rocks
Expiration Date: 13 Sep 20 06:18 +0000)
Days to Expiration: 20

My Kube Chart configuration is using letsencrypt-prod setup.

2 Likes

Does –dry-run appear in your renewal command?

1 Like

Your certificate looks fine. That email is probably referring to another, previous, certificate.

% openssl s_client -connect eks-dashboard.k8.myotp.rocks:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = eks-dashboard.k8.myotp.rocks
verify return:1
---
Certificate chain
 0 s:CN = eks-dashboard.k8.myotp.rocks
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFcTCCBFmgAwIBAgISBPbF5YrbCZuLLs7eR/eDKYa9MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MTQwNjA2NDVaFw0y
MDExMTIwNjA2NDVaMCcxJTAjBgNVBAMTHGVrcy1kYXNoYm9hcmQuazgubXlvdHAu
cm9ja3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4RHBsNCIpQdGj
H1+opFHgnkV1bRlcKWO/LWsTY9z49eWDpwHsyyXEQ/R8b1RUK0tmInWJezuXQLEr
+GM17liGQxS6nWeN9nif/zSYd864GGdf5EbSw+2KRt59FRNvOpKgt6sQg+V3ge7W
w+8XzsUyR4SZYBRYpPTqcwVhSCSqWJEV4JaQxnHswO7KYmT76krfERsptkddbQhw
+mXSjdcbyRsTPBYmofEQQYAMHf+/LL0WtnB47wK3PjaoQx0RVwYGHBZBIR8X907a
njTf610cwvayEKn6x0spPIRz9rC3nW0bHBtWkeFynIo3s2zKhN0EtaFFvC4H1q62
TdUaExwRAgMBAAGjggJyMIICbjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFB72oSu
iCOLYoap2UiVZGy7V/+EMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyh
MG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZy8wJwYDVR0RBCAwHoIcZWtzLWRhc2hib2FyZC5rOC5t
eW90cC5yb2NrczBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisG
AQQB1nkCBAIEgfYEgfMA8QB3ALIeBcyLos2KIE6HZvkruYolIGdr2vpw57JJUy3v
i5BeAAABc+vK1mIAAAQDAEgwRgIhAPG0QbuVv4rHm8WEeO8VYNEsx4RFdGlS4Tiy
HKUsViKrAiEAinhBSfey867Z/mLhBj+2v6Xbz+g2YefiprWeT40oXqwAdgBvU3as
MfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXPrytaPAAAEAwBHMEUCIFVR
HqBZSAkD6G1gx5RI0zM+fNc08Sakhv0XdzIwpWOpAiEA/Awm4vXgkE0thFF3UHt/
DHFGRsCuBxzgTSVRzIdeMtUwDQYJKoZIhvcNAQELBQADggEBADr8hrGsSzk/Tc+i
Zm7ppq8lE5jTK3H4fDupNKF4Ai26Wq6AmWxLgcs0KSqTctlpnJiyg9Z8FObI/lRK
YqfcBCwRMa8iJd/Mg45VvbErD1XK0qiKd1UQh5WP2IIGnBm2ETrptpF34grMpBoQ
kT2Q+oaT5jKY4BjuKVT0YyhgR0EQiG9NSF8EBsqmBdoa2KJ3U6+Qvu/jbsFgYpTq
oQ/LgWoGeunfKQwHu8Icr+fsgasvtkytap/rRUPYdoVKw7TiOB+METSYLmy68FCI
hs9hg0H1gmyXdjYze7xrcaSkAPaemK/6TFNfp/Rm3Qasr74P/ROaBpyQ6l3vtj0r
1cpNAwI=
-----END CERTIFICATE-----
subject=CN = eks-dashboard.k8.myotp.rocks

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3251 bytes and written 413 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: BE4E03B717A49FB09CF6F15527FC25BBD272132C8041D2DB26CAE0854C18CD3E
    Session-ID-ctx: 
    Master-Key: 7D4AE8268961347D19C85738A4D87CCA9FA2F2CDF16F5DAEC53E6D15C15738771F0B9E9ED563D1D250E39F88ABC5E062
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 2f 44 33 c1 e4 0b 54 fc-c7 45 80 df 54 d6 93 e7   /D3...T..E..T...
    0010 - d3 9c ac 4e 02 58 76 8a-a7 94 b0 da 02 5c 7d 81   ...N.Xv......\}.
    0020 - a2 52 76 b9 1f c8 2a 74-0f 4d f2 1e 9d 04 7c cb   .Rv...*t.M....|.
    0030 - 87 b5 14 fe ee 9c 31 1d-71 fe 67 63 d8 04 d5 d9   ......1.q.gc....
    0040 - 16 2b 52 f1 81 a2 da ae-a8 a7 d9 78 48 3c 52 c5   .+R........xH<R.
    0050 - 42 47 93 47 d8 2a 68 f8-63 ff c8 16 4b 4d 48 79   BG.G.*h.c...KMHy
    0060 - bd 5a f7 20 07 6c fe 92-fd 50 36 55 5b 56 61 01   .Z. .l...P6U[Va.
    0070 - 06 97 fa 6b a4 1a a6 f3-8a 8e 19 10 d5 86 23 c8   ...k..........#.
    0080 - a1 df 0c 0b ea d7 e9 91-3a 35 c6 34 6e f5 e1 42   ........:5.4n..B
    0090 - 9c 14 d5 eb 75 17 5f c4-d0 39 94 2f 91 6b 38 ef   ....u._..9./.k8.
    00a0 - b9 6f db 5e e3 b9 9b 49-0f 65 38 d6 85 62 06 15   .o.^...I.e8..b..
    00b0 - 9c 07 77 2f f2 82 dd 80-21 b4 6f d9 da 89 76 2e   ..w/....!.o...v.
    00c0 - 8e 54 87 6d 0b 6a 34 ce-d2 ce ca 0f 3d dc 09 91   .T.m.j4.....=...

    Start Time: 1598256213
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

DONE

It expires in November:

% echo | openssl s_client -connect eks-dashboard.k8.myotp.rocks:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 14 06:06:45 2020 GMT
notAfter=Nov 12 06:06:45 2020 GMT
2 Likes

If you added an email address to your staging account, then you will receive renewal reminders for staging certificates.

This is irrespective of whether you have certificates in production, or not. It’s totally independent.

When e.g. Certbot uses the staging server via --dry-run, it does not register an email address. As a result, typically, users do not receive renewal emails about staging certificates.

I’m not sure what your k8s ACME client does, but if it’s cert-manager, you could use a separate email address for the staging issuer, and then unsubscribe from those emails. Or just not provide an email address for the staging issuer, if possible.

Hope that clarifies the behavior @rodel.talampas.

3 Likes