I used the ZeroSSL commands to manually create, and later update, my cert but since those instructions don’t include the email parameter (which I thought was going to be updated) I don’t get reminders. How can I set it up to send reminders without having to go through the whole creation or renewal process again? Currently I have reminders configured through SSLshopper but would like it to be tied to the actual cert generator.
This parameter has nothing to do with renewal as such - it updates the contacts for your account (so you should be able to receive reminders against the domains linked to that account). You can run that at any time but there is no need to do that more than once unless it's another account or you want to change contact data. There is no harm in running it as often is you like though (as far as I know, there's no rate limiting on that). Keep in mind that update-contacts is a separate command and if that parameter is used, renewal parameters will be ignored.
C:\ZE>le64.exe --key account.key --update-contacts "webmaster@domain.com"
Unknown option: update-contacts
2017/10/05 14:20:18 Use --help to see the usage examples.
EDIT EDIT: nvm I saw that the code has been updated and that command was added later. I will update my binary (hopefully the zerossl website has the latest compiled version.)
Do I need to use the --live option also? It didn’t specify.
C:\ZE>le64.exe --key account.key --update-contacts "webmaster@domain.com"
2017/10/05 14:34:45 [ ZeroSSL Crypt::LE client v0.27 started. ]
2017/10/05 14:34:45 Loading an account key from account.key
2017/10/05 14:34:48 Registering the account key
2017/10/05 14:34:48 The key is already registered. ID: nnnnnnn
2017/10/05 14:34:49 Contact details have been updated.
C:\ZE>
EDIT: so I reran it with the --live option and it gave a different ID number so I assume now I will be getting TWO notifications…one from the test server and one from the live server?
Since the account key does not bear the information regarding whether it is test- or live-server related, indeed --live option would apply the changes to live server, while not having that option would apply the changes to test.
Yes. The staging environment sends emails when staging certificates are going to expire. The production environment sends emails when production certificates are going to expire.
The staging emails clearly say that they're from staging. You'll probably want to just ignore them, and focus on the production emails.
Ok will do. This makes me think (out loud), I wonder if I could put on a black hat and use this in some kind of reflection attack, since the email addresses aren’t verified prior to being used. Hmmm…
Just a quick update - in v0.28 released today you can remove your contact details completely by specifying "none" for --update-contacts. So to do that on the test server, you will need to run the client like this:
Regarding to how Let's Encrypt notifications work in general, I believe misusing those to the point where they actually cause any significant harm would be rather unlikely. However, it might make sense indeed to add some form of verification, perhaps combined with the verification of the domains themselves.
For example, for the completely new account the contact details would only be set upon successful verification of the domain(s) and only if the email belongs to the verified domain(s). Further contact updates could then limit acceptance of email addresses to any of the domains successfully verified by the account previously.
I agree with the first part all email addresses should be verified.
But restricting emails to same domain may be too restrictive for those in that service industry.