Incorrect certificate expiration notices


#1

I have received two certificate expiration notices for different domains, one in 10 and in 0 days. Upon checking the certificates and testing them through https://www.ssllabs.com/ssltest/ it appears that both certificates do not expire for another three months.

I’m not sure why this is happening or if there is something I’m missing or if there is something not right with the expiration notice procedure, but thought I should report it. I’m wondering if anyone else is getting incorrect expiration notices?

Thanks,

Daryl Williams


#2

If it requires one of the Let’s Encrypt staff to go investigate further they’ll probably appreciate knowing the affected names, and other details such as certificate serial numbers.

Two common causes for this that are harmless and won’t need further investigation are:

  1. You added and/or removed names on the certificates, Let’s Encrypt only knows for sure you’ve renewed if the names are exactly the same. For example if you added my-new-server.example.com when you previously only had www.example.com and example.com on a certificate, Let’s Encrypt won’t automatically consider the new cert to be a “renewal” of the old one. Likewise if you removed a name. Solving the most general case of this is tricky (called a Ship of Theseus problem)

  2. You signed up again, and began using a new Let’s Encrypt account to issue certificates. Old and new certificates will work in this scenario (until they expire) but Let’s Encrypt doesn’t know for sure it’s “still you” and I think (but I’m not sure) the old account will receive reminders for the old certificates.


#3

Hi and thanks for your quick response. I think we might fall into cause number two, as I had originally registered a few domains using my personal work email, but recently when we needed to add some new domains it was decided to use an alias so more than one person would receive notifications, etc. When I registered these new domains I used this new email aliases for the registration and later realized I had registered a few of them previously using my work email. I’ve been trying to figure out how to change all of our registered domain’s registration email to the new alias. I found some information here: https://github.com/certbot/certbot/issues/1215, but it appeared inconclusive if there was a way to do this yet.

Any help would be much appreciated.

Thanks,

Daryl


#4

It looks like the certbot feature --update-registration is what you need, and should be in the latest version (0.8.0) of the certbot client if you’re using that.

Nothing terrible will happen as a result of having two accounts, but it is a little bit confusing, so you might want to move everything to one account or the other.


#5

Thank you, I appreciate your help. I’ll check my version of certbot.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.