"Let's Encrypt staging environment certificate expiration notice for domain xxx.com"
I see other questions about this, but none of them mention the "staging environment".
The email states:
You issued a testing cert (not a live one) from Let's Encrypt staging
environment. This mail takes the place of what would normally be a renewal
reminder, but instead is demonstrating delivery of renewal notices. Have a nice
day!
I wasn't aware that I issued a testing cert. Is this a normal notification or have I done something terribly wrong? I have about a dozen other hosts and have not seen such a message on them.
Some ACME client software (for getting Let’s Encrypt certificates) defaults to the staging system. The email listed a domain name right? If you tried different software for that particular system you should check if it uses staging by default. Certificates from staging aren’t publicly trusted, so you’ll want to replace anything that was issued from staging with a “real” certificate.
Because Let’s Encrypt doesn’t verify your control over the contact email, if you don’t recognise the domain in the email it could be someone messing with you.
Interesting. I use dehydrated. Just checked and I have one other domain (and two hostnames) in the same config file, so settings are the same for all hosts (although not all were setup on the same date).
The email did contain the domain/hosts for one of the domains.
The only settings altered from the stock config file are the following:
IP_VERSION=4
CA="https://acme-v01.api.letsencrypt.org/directory" (of note below that are two commented out entries that have "staging" in the URL)
LOCKFILE="/var/run/dehydrated/lock"
CONTACT_EMAIL=css-letsencrypt@xxx.com
Can you explain a bit more the opportunities this system affords an attacker to “mess with” my certs?
It doesn't. However, some jerk could enter your email address for their account, and then you would get expiration alerts about their (legitimate) certificates.
Ah. Not a chance of that. As you can see above, it’s not a particularly “guessable” email. So that said, what can I look for? Dehydrated is happily updating.
If it came to that not very guessable email address, and the name mentioned was a domain you control it does seem it couldn’t be someone else fooling about.
If the active certificate for that Fully Qualified Domain Name is fine, I wouldn’t worry too much. Nothing terrible could come of these not actually trusted certificates, the worst problem is if you’ve installed them somewhere not realising they aren’t the “genuine article” and won’t be trusted by browsers etc. so although it’s a bit of a mystery it seems, it shouldn’t keep you awake at night if you’ve ruled that out.
Unfortunately a side effect of them not being trusted is that (I think) these certificates aren’t logged anywhere public, so we can’t poke around to see when it was issued exactly as see if that jogs any memories.
