Historical Report of Certificates Issued for a Specific Domain


#1

Hi,

We had an issue renewing a certificate because it seems a newer certificate was issued from a different server. The certbot seems to have gotten confused somehow and we want to audit exactly what certificates where issued for this domain, and from what server IP.

We searched for historical report on this site but couldn’t find any specific help on this.

TIA,
Alex


#2

Hi @aimass

every CT log can do that.

Google:

https://transparencyreport.google.com/https/certificates

Comodo:

https://crt.sh/

Both show pre- and leaf certificates, so one certificate creates two entries.


#3

What kind of issue? The existence of one other certificate on another server won’t cause issues for Certbot or Let’s Encrypt.

The CT logs – and easily searchable monitoring websites – can show you what certificates were issued and when, but only let’s Encrypt can provide IP or account information.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#4

My domain is:
waylandgroup.com

I ran this command:
certbot renew

It produced this output:

The following certs are not due for renewal yet:
/usr/local/etc/letsencrypt/live/waylandgroup.com/fullchain.pem expires on 2019-02-18 (skipped)
No renewals were attempted.

But the certificate in live/ was expired a couple of days ago. Yet certbot insisted the certificate expired in February.

We are running cerbot renew on a daily basis with a cron:

0 0,12 * * * /usr/local/bin/python2.7 -c ‘import random; import time; time.sleep(random.random() * 3600)’ && /usr/local/bin/certbot renew

We believe the final customer at some point relocated the DNS to a different server and re-issued a new certificate and this somehow confused certbot on the original server. It other words, the DNS records for the base domain and www were pointed temporarily to a different server, a certificate re-issued there and then the DNS was pointed back to our server at 108.161.151.53

But we have no way to prove or disprove this, or otherwise explain why certbot got confused.

My web server is (include version):
Apache/2.4.34 (FreeBSD)

The operating system my web server runs on is (include version):
FreeBSD 11.2-RELEASE-p2

My hosting provider, if applicable, is:
We ARE the hosting provider. But we don’t have control over the DNS of this particular domain.

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No.


#5

Certbot doesn’t know about the DNS records or other servers or anything. It’s just reading the expiration date from its local files.

What does “certbot certificates” show?

Are you experiencing any problems now? What exactly was showing as expired?

https://waylandgroup.com/ and https://www.waylandgroup.com/ are currently using a certificate that was issued 2018-12-20 and expires 2019-03-20.