The above two domains appear to be hosted on a digitalocean ip I had last year. I’ve just started getting certificate expiring messages for them but they aren’t my domains and I’ve never requested certificates for them. I’m assuming the person getting the ip after me from digitalocean wouldn’t know the email address of the previous owner of that ip so it appears LE is automatically assigning my email address to domains from an ip address I’ve previously used. Is this how it works or is there something else going on here?
Is it possible that what those domains have in common with yours isn't a DigitalOcean IP, but a current or past Plesk installation? It's a long shot, but that's a surprising issue that we've encountered before with expiration e-mails:
This is quite bizarre, then. Expiration e-mails are tied to your ACME registration (account), never based on IP addresses or any kind of auto-discovery. Could you please post one of your own domains? We won’t be able to disclose account information, but that might help us look into the cause.
If you indeed used that system to get any LE certs…
It sounds like the system was reused without a complete wipe (extremely bad practice).
[leaving some cert settings behind - like your email address]
I’ve opened a support ticket with Digital Ocean to investigate but in a few years of using them and a few hundred servers created I’ve never gotten a server that wasn’t freshly imaged.
I’ve confirmed that this doesn’t look like a bug on our end. I’ll be very curious to hear what, if anything, you find out; please follow up if you can. Thanks for bringing this to our attention!
Thank you for your time looking into it. Digitalocean has said there is no way it could be on their side as all servers are given freshly wiped disks when imaged.
So unfortunately I don’t think this will be solved. Is it possible to see all the certificates linked to my email address somehow and invalidate/block the ones that aren’t mine?
Unfortunately, we don’t have ways to unsubscribe from some expiration e-mails and not others, or to remove your e-mail address from an ACME account for which you don’t control the key. Unsubscribing from all expiration e-mails, or manually filtering ones that mention unwanted domains, may be your best bet.
I’m sorry about that, and thanks again for bringing this up. We try to keep these corner cases in mind for future improvements.