Erroneous expiration notifications - cancel them

Hello,

From https://letsencrypt.org/docs/expiration-emails/

“If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed”

These notifications are somewhat confusing.

Wouldn’t it better to be find a way to prevent those notifications from being sent? Ideas:

  • let the user notify that a particular certificate has been superseded

  • let the user cancel the notifications for that particular certificate only

2 Likes

This may be a helpful “feature”.
Something like:
--supercede cert-name
--replace cert-name

[not sure how long that would take to implement nor if can even be done - but it would be a cool +]

1 Like

The ACME protocol doesn’t have support for this information, so there’s no way for Certbot or other clients to convey this relationship to the CA. (Certbot’s notion of renewal or of modification of certificate coverage, and in general of the relationship between successive versions of a certificate, is 100% client-side.)

But maybe it would be an improvement to have two different messages, one for the case where the expiring certificate doesn’t have any name coverage overlap with other certificates, and another for the case where there is a newer overlapping certificate. The latter message could say something like

You may have replaced this certificate with the newer certificate X, which was issued on Y. But if you’re still using the older certificate anywhere, you’ll need to replace it before it expires.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.