The certificate being used is current, as verified in crt.sh and "view certificate" of the browser:
But since I renewed it on Sep 14, I've received two emails indicating expiration of *.activedecisionsupport.com ("will expire in 9 days (on 28 Sep 20 22:20 +0000)"). Both the certificate and the crt.sh output above indicate both the main domain and the wildcard.
This domain is still relatively new to letsencrypt, and I had done some troubleshooting on the first cert generation, so I wonder if it's possible that I have effectively-duplicate certs? One that I recently acquired (I did certbot renew, but my bash history doesn't have it ... I must have led with a space accidentally)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0 (on ubuntu 16.04)
If it helps with anything, my /etc/letsencrypt/accounts contains two accounts:
You have a cert for just your wildcard hostname issued earlier. I guess this was a faulty cert, as it doesn’t include the “bare” domain name, like the certs issued after it.
However, LE doesn’t know you don’t use it any longer (I assume) and as this specific set of hostnames hasn’t been renewed, you’re getting a warning.
That’s what I suspected, but I’m not (yet) proficient enough to distinguish the details in the list. That helps me recognize now what that entry is (as well as 3021538125). Thank you, griffin and Osiris!
(FYI, certbot certificates confirmed what I “knew”, that my current certificates were valid. It did not help me to identify which certificate(s) the email was referencing.)
I didn’t assume that I should be comparing the email with the “Common name” or the “Matching identities” components in the output from crt.sh, so it seemed reasonable to suspect that I was missing something. I’m deducing from Osiris’ comment that a test-certificate (that I thought was on staging, but apparently not) was what is triggering the notifications.
The minute hand on your watch.
The first two (are identical) and are 18 minutes off.
The second two (are identical) and match the time shown on the email.
I will admit that putting more information on the email will be helpful.
But the notice is true and accurate nonetheless.
The reason I had you view your certificates with certbot was to see if you had any duplicate certificate entries that might generate unnecessary certificates at renewal.
You're mostly right about that. You need to look at the Common Name (CN) and Subject Alternative Names (SANs) in the certificate itself. Usually the CN is a SAN.
Test certificates (from staging) are not logged on crt.sh. The pairs of certificates consist of a poisoned precertificate (bottom) and the real certificate (top).
@griffin thanks, that’s very helpful. I was initially comparing the email with the crt.sh front page, now I see I need to look deeper for the SAN. Great information!
I had to learn that one the hard way myself. @Osiris beat that one into me good.
This is ESPECIALLY important when the certificate includes domains unrelated to your search, as is often the case with Cloudflare certificates and such that conglomerate unrelated domains from completely different owners.
(FYI, in case there’s confusion, I created this new account and swapped the “username” and “name” fields in my head, having just a random string for login uid purposes … “9Z2K28FBNQYErsjpX5rN” is not a readable username, but I thought my “Name” would be displayed instead. Allow me to introduce myself, “r2evans”. )
Before I forget, and you probably already realized this, for your benefit try not to generate a bunch of identical certificates (same domains, but public keys likely vary). You can run up against the rate limits. If anything were to happen to your certificates and private keys, this can give you a royal headache. If you’re testing getting certificates, you can add --dry-run to use the staging environment, which has much higher limits, does not save the “fake” certificates it generates, and won’t limit your ability to get a real certificate later.
That’s why I shifted between “real” and “staging/temp”, because in testing I hit a rate-limit or two. This is oddly not my first domain with LE, but it’s the first where I went wildcard and did anything non-trivial. Thanks.
I thought you might have. Most people who have generated 5 certificates in 1 day have tried to generate 6 certificates. I’m sure Rudy noticed this too and didn’t club you for it. Some people here will. Hard. I speak of the juggernaut…
)
