Expiry emails from letsencrypt not reflecting updated expiry dates


#1

Not sure if this is the right category to put this, but the expiry emails seem to reflect the old expiry dates.

For eg: my certs are were set to expiry say 1st Sept 2016. I renew all certs on the 25th of August 2016. However I still get emails from letsencrypt stating that my cert will expire 1st Sept.

I check the actual expiry of the cert and its correctly dated 25th Nov 2016, which is 3 months from the 25th of August.

Is this a bug in the auto notifier? Or is it just meant to be this way?

Other than that letsencrypt is working great for me and all my domains.

Thank you.


#2

As far as I know, the auto notifier doesn’t have a clue you’ve already renewed your certificates. So you can ignore the extra e-mails if all is renewed properly.


#3

Hi Mark

Use http://crt.sh/ and your domain

This will show you all certificates that have been registered for your domains

You may find you have multiple certificates hence the expiry dates.

Andrei


#4

Thanks! Would be nice if the notifier does check so we have an accurate
notice but it’s no big deal.

  • Mark

#5

It should check for “identical” renewals. However if your new cert has an additional domain ( perhaps a www subdomain on it) then it won’t recognise it as a direct replacement.

If your list of domains on the new cert is identical to the list on the old cert, it’s probably a bug :wink:


#6

Think it’s a bug then because notices for certs for a single domain (with
no change) give the old renewal date.


#7

Are you happy to provide the domain name, so that can be chased though ?


#8

Well lets take cherokee.chrysler.org.sg. It has 2 domains under it:

cherokee.chrysler.org.sg
weblogs.chrysler.org.sg

Original expiry was 21st Sept 2016. I renewed on 29th August 2016, but on
12th Sept, I still got this mail which shows the original expiry of 21st
Sept 2016:

*expiry@letsencrypt.org expiry@letsencrypt.org *expiry@letsencrypt.orgMon,
Sep 12, 2016 at 5:13 AM
Hello,

Your certificate (or certificates) for the names listed below will expire
in 10 days (on 21 Sep 16 21:15 +0000). Please make sure to renew your
certificate before then, or visitors to your website will encounter errors.

cherokee.chrysler.org.sg
weblogs.chrysler.org.sg

For any questions or support, please visit https://community.letsencrypt.
org/. Unfortunately, we can’t provide support by email.

If you are receiving this email in error, unsubscribe at
http://mandrillapp.com/track/unsub.php?u=30850198&id=
729543c4be984e78bf370db489d5d2e6.3qo59wzl%2FGgC5YlMwvVdIsP26o8%3D&r=
https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dmark%2540chrysler.org.sg
(HTTP link, we know. We’re working on it!)

Regards,
The Let’s Encrypt Team

Its not only this domain by the way, I have a few, the expiry notice for
all of them have the same issues.

Thanks.


#9

You originally obtained separate certs for cherokee.chrysler.org.sg and weblogs.chrysler.org.sg on the 22nd of June which were both renewed the day after. Also on the 23rd you obtained a cert for both names which was renewed on the 31st of August.

The email you received refers to the 2 separate certs that you have presumably abandoned in favour of the single cert for both.


#10

on Jun 23 21:15:00 2016 GMT you obtained a cert for just cherokee.chrysler.org.sg - https://crt.sh/?id=22859572

on Jun 23 21:15:00 2016 GMT you separately obtained a cert for weblogs.chrysler.org.sg - https://crt.sh/?id=22961237

later on Jun 23 21:54:00 2016 GMT you obtained a cert for both cherokee and weblogs - https://crt.sh/?id=22962436

You then renewed the cert containing both names on Aug 31 16:15:00 2016 GMT - https://crt.sh/?id=30426444

Since you have renewed the cert containing both names, you shouldn’t get an alert for that. You haven’t renewed the certs for the separate domain names though - hence you will have received an alert for that.

Does that make sense ?


#11

Ummm a little confused still and apologize I didn’t realize I created
separate certs for that.

You mentioned I shouldn’t get alerts for the combined cert because I
renewed that? But I am getting alerts for the combined cert but not for the
separate certs which were not renewed.

Maybe I’ll just ride through all the old expiry dates and after the next
renewal (I renew about 5 - 10 days before expiry) I will monitor to see if
I get alerts for the last expiry date

Thanks!


#12

So does that mean that when the expiry email comes with the two FQDNs it’s
actually referring to 2 separate certs under my email which expiry on the
same date? I always thought it referred to the combined cert for the FQDNs
listed under it.

Thank you.


#13

I think there is probably confusion because you have a single email with both domains listed in it.

It does say "Your certificate (or certificates) "… and in this case it’s certificates :wink:

If you look at the dates on the links I provided above, the two separate, single domain, certs are the ones that expire at Sep 21 21:15:00 2016 GMT - so those are the ones that the email refers to (not the combined cert.


#14

Ah that explains it. Thanks!


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.