Incorrect notification about certificates renewal

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mxmail.pro

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I often get notification that my certificates need to be renewed. But when I check date there is always very much time left.
Can the reason be that I use 1 tls cerificate to multiple domains under one name. Its for email domains.

2

Please see your history of certificates for your domain at crt.sh | mxmail.pro and then please read the email notification fully and carefully. :slight_smile:

3

Ok!
I can see that the domain has been with other owner for most of the time.
And I dont have to bother about the notifications, the domains will be autorenewed.
In this list I see a bunch of certs that is no longer in use. Can I somehow delete them or they will just expire

4

You can't delete anything from Certificate Transparancy logs. I don't know what ACME client is being used, but usually you can check your ACME client to see the list of certs.

5

All certs will eventually expire.
That said, I see three wildcard certs that are still valid.
If you did not issue them, you might want to look into having them revoked.
image

1 Like
6

I have never issued any wildcard certs. How can I revoke them

7

The certificates rg305 highlighted are from Google Trust Services and Sectigo. I believe both of those CAs support revocation via ACME. You should contact them for more information.

The instructions for Let's Encrypt are at Revoking Certificates - Let's Encrypt and they will be similar for other ACME CAs.

3 Likes
8

Using this CT log search display shows the domain names in each cert clearer than crt.sh. It only shows Let's Encrypt certs though. You can see all the names using crt.sh by clicking each one and looking at the SANs list. This is just easier.

And, this should make obvious what is happening when comparing to email (as already suggested)
https://tools.letsdebug.net/cert-search?m=domain&q=mxmail.pro&d=4320

2 Likes
9

You may not have directly but I am guessing you have Cloudflare's Universal SSL enabled

That automatically gets wildcard certs on your behalf just in case you use them when proxying the domain with them

5 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.