The notice of expiration emails are helpful, but it's doesn't seem possible to identify the host that these certificates reside on. I often clone virtual machines and then rename services, etc and sometimes an certificate stays like it was on the original machines. Then I received notifications for this, but since they are many machines that are similar, it's not possible to check which machines this is applicable to.
Is there a way in which the host/guest VM machine can be identified in these reminder emails?
Question: how would Let's Encrypt know about these changes regarding cloned/moved/renamed virtual machines?
The only thing the Let's Encrypt server knows, is that there hasn't been a certificate issued with the same set of hostnames and that a certificate is about to expire.
That is indeed the question. Is there any way in which this notification can be generated from the machine on which the certificates reside? Then I could silence the emails for LE's servers and get the ones from my servers.
Sure there is a way. But I don't think many ACME clients have such a feature: usually a certificate is renewed before any notifications are to be send..
Same goes with silencing notifications from LE: with proper implementation, those emails aren't supposed to be send at all. Only if there is a difference between a previously issued certificate and a modified "renewal" (i.e.: adding or removing a hostname, so that LE doesn't recognise it as a renewal, but for your purposes, it does function as a renewal), you might receive an expiry email.
The notifications aren't concerned with the hosts.
If at least one host renewed the certificate, the emails will not be sent.
You can use your own script, like this one: whendoesthisexpire.sh · GitHub
(don't put too much trust in it, I just wrote it and I don't really want to debug it. And of course, that only checks the certificate you're actually serving. And it needs some more editing to check starttls stuff.)
(The first bug I can see is that if your certificate is expired that script will go into an infinite loop. Or maybe not. It could just not output anything.)
There are SSL Cert Monitoring products which will check certs for the domains you list.
That isn't quite what you asked for but is alternative to LE's email warnings. They would only check certs actually sent by a server for a domain (like 9peppe's sample). So would not find old unused certs on cloned VMs if you really need to know where those are.
Thanks all! Your comments set me thinking about solutions, but I think this cleared up my thinking around this issue.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.