Incomplete list on https://crt.sh?q=appello.care

We have 300+ active certificates and all renewals are proceeding without trouble.

However, I recently visited crt.sh for our appello.care TLD to review it’s issued history and saw that practically all the renewals since the end of January 2020 are unlisted.

I considered this being due to batch uploading from LE to crt.sh, but checking again today shows little change.

Our slowly growing list of certificates currently stands at 344, each for individual sub-domains, and to evenly spread the renewals across the sixty day rolling cycle, certbot is scripted to attempt renewal of the oldest two certificates 4 times per day. The limit of two at-a-time will be increased to three when we reach 480 certificates (8 * 60).

As examples:

  • our TLD appello.care certificate (+wildcard) was last renewed - 2020-05-19T08:53:38Z
  • the most recent sub renewal was 4100001.hq.appello.care today ~ 2020-06-12T02:52:00Z
    (4100001 will return 404, but openssl s_client will confirm)

It’s unclear whether this is an issue with LE or crt.sh - happy hunting.

Hi @mhmeadows63

that’s a problem of crt.sh.

Use

https://groups.google.com/forum/embed/?place=forum/crtsh&showsearch=true&showpopout=true&showtabs=false&parenturl=https%3A%2F%2Fcrt.sh%2Fforum#!forum/crtsh

to ask. Or https://crt.sh/forum - then it’s in a frame.

it is an issue with crt.sh

https://crt.sh/?q=4100001.hq.appello.care

the precert is already in the log:
https://crt.sh/?id=2939001048

currently xenon2020 and argon2020 have both a large backlog in total over 50 million entries, list is here: https://crt.sh/monitored-logs

1 Like

Ah yes, additional query parameters to exclude expired certificates does the trick:
https://crt.sh/?Identity=appello.care&exclude=expired

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.