Getting Erroneous "Let's Encrypt certificate expiration notice" Emails


#1

I have a few dozen domains I host, and each one has renewing certificates from Lets Encrypt through Plesk 12.5’s Lets Encrypt extension.

The certs have renewed successfully, autonomously, a couple weeks ago, and now I’m getting emails from you guys stating that some are going to expire in 19 days. One email per domain.

However, checking the certs on each domain shows they don’t expire for at least 70+ days and all are valid.

Is there a problem with your notification server at mandrillapp.com?

Here is one such domain I just got a notice regarding: https://creativeoutlets.net


#2

Looking up that domain on crt.sh it seems you originally got one cert that didn’t include the www subdomain, then one that did. I’m guessing the latter is the one you renewed, and the former is the one you got the warning about? The reminder email is sent unless you renew the certificate with the exact same set of domains. If that’s what happened, it should be safe to ignore it.


#3

Ah yes that could be it. Thank you.


#4

@gregarios I can confirm @jmorahan correctly identified the cause (Thanks!! :cake:) . You can read more about our expiration warning emails and what constitutes a renewal [here]((https://letsencrypt.org/docs/expiration-emails/).


#5

I have one as of yesterday. My question is this, how do I verify if infact, I need to to renew it. If not, how do I know it’s already renewed.

Thank you!

Hello,

Your certificate (or certificates) for the names listed below will expire in
0 days (on 01 Mar 17 01:53 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

ourdomainname.com

For any questions or support, please visit https://community.letsencrypt.org/.
Unfortunately, we can’t provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you’ve obtained a slightly different certificate by adding or removing names. If you’ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you want to stop receiving all email from this address, click this link (deleted) (Warning: this is a one-click action that cannot be undone)

Regards,


#6

The expiration date is part of the certificate, so you can use your browser’s certificate viewer to check the actual expiration date.

In Chrome, you open the site in question, right-click and open “Inspect”. That should open the developer console, which has a “Security” tab with a “View Certificate” button. The expiration date should be visible somewhere in the window that just opened (the exact UI here is OS-specific).

In Firefox, you can reach a similar interface through the “View Page Info” context menu, under “Security” > “View Certificate”.


#7

Thank you for the quick response. Is there another way to check? I can’t get to that site in question right because the server/pc hosting it is down.

Thanks again,
Thomas


#8

You can use https://crt.sh/ to find all certificates issued for a particular domain and check the “Not After” date of the most recent one. This’ll let you know that a certificate was issued; confirming that it’s in use of course would require the server to be up.


#9

This is what I got back. Based on that I cannot tell whether or not it will be expired tomorrow - like it said in the email.Going forward, how do I set it so that it renew automatically? Is it ust a matter of having the server up and running?

==========================
Certificates
crt.sh ID Logged At ⇧ Not Before Issuer Name
5671663 2016-12-01 2016-12-01 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
2956432 2016-08-23 2016-08-23 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
2208194 2016-06-14 2016-06-14 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3

Thank you!


#10

The newest certificate there is indeed going to expire tomorrow, because tomorrow is 90 days after it was issued:

$ date -d '2016-12-01+90days' Wed Mar 1 00:00:00 PST 2017

(PST is just the time zone on my computer; the Let’s Encrypt certificate expiry is actually calculated relative to UTC, I believe.)

How did you obtain this certificates? What software are you using? Is it Certbot or something else?


#11

No idea. This was before my time here. Any way I can track down this info for you? I really can’t have it expired by tomorrow.

Thanks!


#12

Well, the details of how to do a renewal depend completely on what software you’re using and how the site is hosted, so it will be important to find out somehow!


#14

Here’s what I got back, I hope that helps!

“When I deployed it, the program was called letsencrypt. I think now it’s called CertBot”


#15

There are a number of things that might not work about this depending on other details, but you’ll most likely need to log into the server as root and run

letsencrypt renew

or as another user with administrative access and run

sudo letsencrypt renew

If this doesn’t work, I’m sure people here are willing to help debug it and figure out more about what the previous person did, but it would be much more efficient to have someone with more system administration experience involved because they could probably figure it out promptly without a lot of back-and-forth cycles.


#16

That someone is me for now. :slight_smile: But I’m slowly but surely moving away from legacy systems. So changes for the better is coming.

Thank you for help!


#17

OK, did you try something like sudo letsencrypt renew, and with any good or bad results?


#18

Hello Seth, are you able to help me with what I just posted.

Thank you!


#19

Hi @thomasp1, I was still waiting for your reply to my question about logging into the server and running one of the commands I suggested.


#20

Sorry, that problem has been resolved. This is a separate issue for our main site.


#21

Oh, did you post in a new thread about that?