Incorrect/misleading/incomplete expiration email

My domain is pypicache.repology.org, and I've just got an expiration email:

From: Let's Encrypt Expiry Bot <expiry@letsencrypt.org>                                                                                                                          
Subject: Let's Encrypt certificate expiration notice for domain "pypicache.repology.org"                                                                                         
Received: from [66.133.109.36] by mandrillapp.com id b49340094b964db895e14d2a61c13240; Mon, 20 Sep 2021 18:57:24 +0000                                                           
Message-Id: <20210920T185724.5291061030316891595.expiry@letsencrypt.org>                                                                                                         
...
Your certificate (or certificates) for the names listed below will expire in 10 days (on 01 Oct 21 01:07 +0000)
...
pypicache.repology.org
...

However, browser and certbot say that the certificate was in fact recently renewed and is not going to expire in October:

  Certificate Name: pypicache.repology.org
    Serial Number: 4b34517b9f8e08c9abfb26a68d1bd99395a
    Key Type: RSA
    Domains: pypicache.repology.org
    Expiry Date: 2021-12-03 00:37:38+00:00 (VALID: 73 days)

My guess is that either there is some error or I may have two certificates for the same domain. In the latter case, the email should take such case into account to not be misleading and confusing. Ideally, it should say right away that I have multiple certificates for this domain with issue and expiration dates and serial number.

This situation would count as a renewal and should not trigger an expiry email.

There indeed exists a certificate for just that hostname which expires on 1 October: crt.sh | 4801766429 And that certificate has indeed been renewed with just that hostname on 4 September: crt.sh | 5159537241

So I don't understand why you got that e-mail. @lestaff Could you please look into this? As far as I can tell, this expiry e-mail should not have been send..

3 Likes

I too have received such a mail today, telling me that the certificate will expire in 0 days (tomorrow morning). However, the certificate is still valid for another 2 months and was renewed 1 month ago. So everything should be okay, and renewal was never an issue in the last years.

Seeing that I'm not the only one who received such a message, I assume there is a bug/issue on let's encrypt's side.

1 Like

And another incorrect email here for domain hollisters.servepics.com, wwhich I'm told will expire on 01 Oct 21 01:32, when in fact it's valid for another 70 days or so.

1 Like

Me too, domain: mail . lena . kiev . ua

1 Like

Funny thing by the way: I just checked my server and I have 5 certificates expiring tomorrow and I did NOT receive any expiration e-mail for them.

So I guess it's genuinely broken?

2 Likes

I got a notification that said 7 certs were expiring in 0 days, I checked all of them and the certs are expiring in exactly 2 months, so there's no issue. There might be something going on with their notification system, I checked my server and it appears fine.

1 Like

It seems that trouble is really abrewin'...

1 Like

Same problem here, several certificates that expire on November 30th, for example, but the alert email says:

Your certificate (or certificates) for the names listed below will expire in 10 days (on 01 Oct 21 02:18 + 0000)

1 Like

The Let's Encrypt staff have acknowledged the issue and are currently investigating.

3 Likes

Thanks for your reports, everyone! I believe we've identified the problem that was causing us to send expiration warning e-mails for certificates that have already been renewed. We've paused sending while we work to fix the root cause.

11 Likes

The release which we believe to be the fix for this issue has been deployed in production. Please let us know if fresh evidence is observed to the contrary.

7 Likes

Oh, I didn't realize that an email is required to get a CSR signed by Let's Encrypt to receive a certificate.
Or am I miss understanding ACME :question:

E-mail addresses are fully optional in the ACME protocol, although it is recommended to use one. In that case the ACME server can send you e-mail notifications such as expiry e-mails or other urgent notifications.

2 Likes

Thank you @Osiris :slightly_smiling_face:

2 Likes