Expiry bot could provide a bit more details, especially unique identifiers

Right now Expiry Bot includes specific expiration date and hostname(s) i the expiration mail. This is fine, but not always enough to identify the specific certificate in question, like when there’s been an old cert with the same name, or a staging one; or it would be simply prudent to provide a cryptographically or adminitratively unique identifying information about the subject of the email.

Cert serial number would seem to be an obvious choice (it’s in the default output of both openssl and certtool, apart from possibly any other).

1 Like

Could also provide a hash, and perhaps a https://crt.sh/ link.

It should always be possible to identify the certificate by the information given now, though. (At least for a production certificate, since they’re logged to CT.) The email says whether it’s a staging or production certificate. You can identify the most recent certificate with those names expiring at the given time. It’s just not always convenient.

2 Likes

Hi @grinapo,

There was an open feature request for including the certificate fingerprint: Include certificate fingerprint or serial in email expiration notice · Issue #2777 · letsencrypt/boulder · GitHub I've updated it to mention the certificate serial - likely a better choice for identifying the certificates in question than the fingerprint.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.