Erroneous Let's Encrypt Expiration

I have never heard of Let’s Encrypt before, and don’t believe that I have ever signed up to it, or knowingly installed it. I have an e-mail account as md@innovotion.net, and it has stopped updating to my iPhone, and I get the message “The identity of mail.innovotion.net cannot be verified by e-mail” on my iPhone, every few seconds. When I go into the details, it says “Not trusted, Expired 29/10/17.” When I go into “More details” it says "Not valid before 31/07/2017 21:19:00. Now, if I had uploaded or switched on Let’s Encrypt encryption just a few months ago, I would remember it, but I didn’t. So what has happened? Could it have happened under the guise of something else - McAfee for example? Or might someone have hacked my e-mail account and switched the encryption on?

Hi @Clive64,

The error message you’re seeing is because innovotion.net (not you) uses Let’s Encrypt services, and the administrators have made a mistake in failing to renew their certificate. As a consequence of their mistake, your software is warning you about the invalid certificate. This can only be fixed by the administrators of that service. If you have a way to get in touch with them, they should be able to take care of this.

3 Likes

Well… It wasn’t a few months ago. It was a year ago. I don’t know whether they’ve been used, but certificates have been created and renewed (probably automatically) for that long.

Some names in innovotion.net started 2016-10-21:

https://crt.sh/?q=%innovotion.net

And mail.innovotion.net was added 2016-11-09:

https://crt.sh/?q=mail.innovotion.net

Let’s Encrypt certificates are valid for 90 days. It’s common to automatically renew them every 60 days, with some leeway in case something goes wrong and needs to be fixed.

That’s about what your system was doing, until the most recent certificate was issued 2017-07-31. It should have been renewed about 2017-09-29, but it has yet to happen. Instead it was left to expire a few days ago.

Either this was all a carefully managed manual process, and someone’s forgotten, or the automated process broke for some reason. I’d guess that maybe one of the (sub)domains expired, or was disabled, or its configuration was changed, leaving the ACME client unable to automatically renew the certificate without configuration changes.

Your systems administrators should investigate the ACME client’s logs and see what’s up.

2 Likes

Hi @Clive64,

I agree @schoen and @mnordhoff, you should talk to Krystal Hosting to know what is happening but I think the certificate has not been renewed because the cert covers the following domains:

innovotion.biz
innovotion.net
mail.innovotion.biz
mail.innovotion.net
www.innovotion.biz
www.innovotion.net

And as far as I can see, innovotion.biz and its subdomains point to another ip (not the same ip your .net domain uses) and the web page says the domain has expired so I think your hosting company is trying to renew the cert with all domains but it gives an error because of this biz domain.

So, contact your hosting company.

Good luck,
sahsanu

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.