Expiring domains Vs my Let's Encrypt subscriber account


#1

I ran this command: certbot certificates

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: mail.mainDomain.com
    Domains: mail.mainDomain.com mail.newDomain.com mail.secondDomain.com mail.thirdDomain.com mail.fourthDomain.co.uk mail.fifthDomain.com mail.sixthDomain.co.uk webmail.mainDomain.com webmail.newDomain.com webmail.secondDomain.com webmail.thirdDomain.com webmail.fourthDomain.co.uk webmail.fifthDomain.com webmail.sixthDomain.co.uk
    Expiry Date: 2018-12-03 06:26:25+00:00 (VALID: 82 days)
    Certificate Path: /etc/letsencrypt/live/mail.mainDomain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.mainDomain.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is: DO

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


I received a mail last week, from expiry@letsencrypt.org stating that the certificates for a number of my domains will expire in 20 days (on 26 Sep 18).

The mail lists my various domains and also recommends renewing certificates automatically when they have a third of their total lifetime left.

These certificates are on my iRedMail mail server upon which I had to pay the creator of iRedMail for his support in applying additional domains for their mail service on the mail server. Unfortunately, he wasn’t very helpful when I asked for specific instructions to enable me to add further domains in the future (providing just a few very scant bullet points) and consequently I’m now left picking up the pieces trying to figure out what to do.

Looking at bash’s history file, I can see the following commands were issued:

apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

Looking at https://certbot.eff.org/lets-encrypt/ubuntuartful-nginx and using its dropdowns to provide the specific install instructions for Ubuntu it provides:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

It therefore seems as though the correct install command (apt-get install python-certbot-nginx) for my (Ubuntu Nginx) server was not used.

Q1 What’s the impact of using ‘apt-get install certbot’ versus ’ apt-get install python-certbot-nginx’?

Q2 Is it safe to reinstall using the correct command: 'apt-get install python-certbot-nginx’?

This is a live mail server, which I need to ensure it keeps running, so would doing another install overwrite the previous install/config?

I then saw that the following command was used:

certbot certonly --webroot -w /var/www/html -d

Q3 Is there any point in doing the above command? Especially if followed shortly after with:

certbot certonly --webroot -w /var/www/html -d mainDomain.com -d mail.mainDomain.com -d webmail.mainDomain.com -w /var/www/vhosts/thirdDomain.com -d thirdDomain.com -d mail.thirdDomain.com -d webmail.thirdDomain.com -w /var/www/vhosts/oldDomain.com -d oldDomain.com -d mail.oldDomain.com -d webmail.oldDomain.com -w /var/www/vhosts/olderDomain.com -d olderDomain.com -d mail.olderDomain.com -d webmail.olderDomain.com

Shortly followed with:

get_cert.sh

which contained:

certbot certonly --webroot \
	-w /var/www/vhosts/webmail.mainDomain.com \
	-d mail.mainDomain.com \
	-d webmail.mainDomain.com \
	-w /var/www/vhosts/webmail.thirdDomain.com \
	-d mail.thirdDomain.com \
	-d webmail.thirdDomain.com \
	-w /var/www/vhosts/webmail.oldDomain.com \
	-d mail.oldDomain.com \
	-d webmail.oldDomain.com \
	-w /var/www/vhosts/webmail.olderDomain.com \
	-d mail.olderDomain.com \
	-d webmail.olderDomain.com \
	-w /var/www/vhosts/webmail.fifthDomain.com \
	-d mail.fifthDomain.com \
	-d webmail.fifthDomain.com

I can see a script in /etc/cron.weekly that calls get_cert.sh, but it seems from the upcoming expiry date that the certificates are (at 20 days to expire) well under the recommended 30 days auto renew timescale.

I then tried to remove some of the domains and at the same time some other domains, using this command (based on his earlier command):

certbot certonly --webroot -w /var/www/html -d mail.mainDomain.com -d webmail.mainDomain.com -w /var/www/vhosts/webmail.newDomain.com -d mail.newDomain.com -d webmail.newDomain.com -w /var/www/vhosts/webmail.secondDomain.com -d mail.secondDomain.com -d webmail.secondDomain.com -w /var/www/vhosts/webmail.thirdDomain.com -d mail.thirdDomain.com -d webmail.thirdDomain.com -w /var/www/vhosts/webmail.fourthDomain.co.uk -d mail.fourthDomain.co.uk -d webmail.fourthDomain.co.uk -w /var/www/vhosts/webmail.fifthDomain.com -d mail.fifthDomain.com -d webmail.fifthDomain.com -w /var/www/vhosts/webmail.sixthDomain.co.uk -d mail.sixthDomain.co.uk -d webmail.sixthDomain.co.uk

*note: oldDomain.com and olderDomain.com have been removed and newDomain.com, fourthDomain.co.uk and sixthDomain.co.uk have been added…

Q5 Is that the right approach / syntax?

So, my situation is now that I have all domains (including my recent additional domains) on the mail server working for their https://mail..com and https://webmail..com services.

However, the above mentioned expiry@letsencrypt.org mail still has some of the old domains included which I thought I’d removed.

Q6 How can I definitively find out what certificates are included within my Let’s Encrypt subscriber account?

I’ve read from the letsencrypt.org site that: “The contact email provided when creating accounts (aka registrations) should go to the Subscriber.”

When I use the ‘certbot certificates’ command on my server it correctly displays the current domains, as specified at the top of this post.

So I don’t understand why the email contained the old domains?

I’m guessing that my Let’s Encrypt subscriber account might well have (duplicate?) certificates that aren’t being used. If so, I’d like to clean that up so I only have valid certs for my domains.

Any help greatly appreciated and apologies for the long winded post, but I though it better to be as detailed as possible.


#2

Hi @derrickr

the expiry-mail contains certificates which are not renewed (exact set of domain names).

So if you change your set of domain names and don’t renew the original set of domain names:

You will get a mail (20 days and 10 days before the end of the certificate) and you should ignore this mail.

You can use certbot certificates, then something like certbot delete.

But it looks that you have only one active certificate.


#3

Thanks @JuergenAuer it’s starting to make sense, the more I do it.

I was slowly coming to the conclusion that I could ignore that mail, but since I’m new to this was a little cautious.

I’ve also (successfully) created a new cert on another of my domains on a separate server. I used my same mail address, so I now have two separate certs on the separate servers and I’m assuming each with their own Let’s Encrypt subscriber account?

It therefore looks like the certificates each have their own Let’s Encrypt subscriber account and can use the same mail address - but I’m wondering if there’s anyway I can lookup what certificates (and associated domains) are using my mail address? My rationale being that I could then see what other certificates (and associated Let’s Encrypt subscriber accounts) may be likely to send me expiry mails, so I could ensure that I’m managing any potential expirations accordingly.


#4

Yes, you have now two different accounts. The mail address isn’t relevant. The key pair (public-private key) is account specific.

This isn’t possible. If the certificate is created, the certificate has no information which account (key-pair) was used.

The mail address isn’t checked. So I could create a letsencrypt-account with your mail address.

If there are no certificates or if the certificates are renewed after 60 days, then no mail is sent.

And if someone uses your mail address (there were misconfigurated shared hosting services), so you get a mail with domains you don’t know and don’t manage: Ignore the mail.


#5

Thanks, for clearing that up:

Seems like I should just ignore mails for any potential misconfigured domains.

However, what does this now mean?

Appreciate your help @JuergenAuer


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.