False alarm renewal emails

Last week, I got a renewal email warning. I also got one a couple weeks ago. In both cases, they told me my certificate hadn’t been renewed and would expire in what is now about 10 days. When I got the original email, and again when I got the latest email, I checked my certificate. I did it both by looking at details in a browser and by asking one of those check-your-server sites. In all cases, the certificate was good. It renewed on 23 March and has 66 days left on the clock. I’ve been using the automatic key renewal stuff for at least a year or two and haven’t seen these email before.

Anything to worry about?

Hi @wjcarpenter

what's your domain name?

Read

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

You may have created certificates with different sets of domain names you don't use -> you didn't renew -> that produces the mail.

Checking your domain name with https://crt.sh/ or https://check-your-website.server-daten.de/ should show the installed and the not longer used certificates.

Sorry, meant to mention the domain: acceptio.com (along with several server alternate names).

I have modified the list of server alternate names in the past, but the last time was in 2017.

BTW, I’m not too worried about this since the cert I have looks good.

There is already a check of your domain - https://check-your-website.server-daten.de/?q=acceptio.com - ~~15 hours old.

The certificate is valid - 66 days:

CN=acceptio.com (5809)
	23.03.2019
	21.06.2019
expires in 66 days	a-imap.acceptio.com, a-pop.acceptio.com, a-smtp.acceptio.com, acceptio.com, acceptio.net, andyheard.com, andyheard.net, andyheard.org, b-imap.acceptio.com, b-pop.acceptio.com, b-smtp.acceptio.com, briansieger.com, c-imap.acceptio.com, c-pop.acceptio.com, c-smtp.acceptio.com, carpenter.org, cyberclops.com, d-imap.acceptio.com, d-pop.acceptio.com, d-smtp.acceptio.com, e-imap.acceptio.com, e-pop.acceptio.com, e-smtp.acceptio.com, f-imap.acceptio.com, f-pop.acceptio.com, f-smtp.acceptio.com, g-imap.acceptio.com, g-pop.acceptio.com, g-smtp.acceptio.com, h-imap.acceptio.com, h-pop.acceptio.com, h-smtp.acceptio.com, hapcatcap.com, i-imap.acceptio.com, i-pop.acceptio.com, i-smtp.acceptio.com, maiaellen.com, plist.com, presentco.com, privateaisle.com, prod05.acceptio.com, rainfade.com, ral.ph, shad05.acceptio.com, spindry.com, support.acceptio.com, targetrich.com, www.acceptio.com, www.acceptio.net, www.andyheard.com, www.andyheard.net, www.andyheard.org, www.briansieger.com, www.carpenter.org, www.cyberclops.com, www.hapcatcap.com, www.maiaellen.com, www.plist.com, www.presentco.com, www.privateaisle.com, www.rainfade.com, www.ral.ph, www.spindry.com, www.targetrich.com, www.zoeelena.com, y-imap.acceptio.com, y-pop.acceptio.com, y-smtp.acceptio.com, z-imap.acceptio.com, z-pop.acceptio.com, z-smtp.acceptio.com, zoeelena.com - 72 entries

And there are two CT-log entries:

The older has one more domain name - bissextus.com and the www-version.

This difference produces the mail.

PS: Created a full outer join to find the difference.

PPS: Interesting idea, perhaps I should add a query, so users can check such differences.

Ah, I guess that difference explains it. I allowed that domain to expire, though I neglected to remove it from my Let’s Encrypt config. So the validation step for that domain failed and the update removed it from the list of server alternate names.

Thanks for tracking that down!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.