Erroneous expiration notices


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.crowdwisers.com

I ran this command:

It produced this output:

My web server is (include version):apache 2.14.18

The operating system my web server runs on is (include version):Ubuntu 18.01.1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes:

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

At least twice now I’ve received emails stating that my domains will expire on Nov. 20, which is incorrect. Looking at the certificates, they are good until Feb. 1

I’m assuming the certificate is canonical, and I can ignore the notices. However, it would be nice to get confirmation. I’m also curious about whether or not this is a known issue and what it causing it.

I’ve been using LE for years, without such issues, and have donated and written articles about the service to show my thanks.


#2

Hi @Esekla

checking your domain:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:mail.crowdwisers.com&lu=cert_search

mail.crowdwisers.com Let’s Encrypt Authority X3 4 22.08.2018 20.11.2018 3 Details ansehen
mail.crowdwisers.com Let’s Encrypt Authority X3 5 03.11.2018 01.02.2019 2 Details ansehen

You have one certificate with 4 domain names (expiring 20.11.2018) and one with 5 domain names.

So you don’t need to renew the certificate with 4 domain names, because you use already the other certificate.

So you can ignore the mail. See

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.


#3

Thank you for the speedy and detailed response!

If I’m understanding correctly, the expiration warning is being sent because the relevant domains for the older certificate do not exactly match those in the new one. However, the old ones are a subset of the new one, meaning that no domains are actually expiring. It seems that detecting that and not sending an expiration warning would be optimal behavior, unless I’m missing something.

Would you like me to put in a feature request, or is this topic enough?


#4

This issue has been brought up before… many times.
It is impossible to known where anyone is using a certificate (especially wildcard certs).
So, even thou you have re-issued a newer cert for the same names (or more names), both cert are still valid.
LE can only alert you of active certs nearing expiration.

A better approach for you would be to have your specific sites monitored and alerted when the active online cert is nearing expiration. So that if your cert gets renewed on time, you never get any alert/message.


#5

Yes, this is correct.

That may be correct. But it’s possible, that the new certificate has a subset of the old certificate.

Old: A, B, C
New: A, B, D

Letsencrypt doesn’t know which certificate you use. Letsencrypt sees only: “This domain name set -> no renew -> send a mail”.