Invalid expire messages


#1

Please fill out the fields below so we can help you better.

My domain is: eehmke.de

I ran this command: getssl -w /etc/getssl/ -u -a -q

It produced this output: Your certificate (or certificates) for the names listed below will expire in 9 days

My operating system is (include version): Debian 8.6

My web server is (include version): Apache 2.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

What exacty is invalid?


#3

Excuse me, I was fighting the input form.

I had successfully installed getssl certificates on my old server. When I transfered some domains to a new server, I removed them from the SANS= line in getssl.cfg. Still I get expire messages via email for these domains, even when they are working fine on the new server, and can verify they are not expired there. I never revoked these domains.


#4

I assume these are emails from Let’s Encrypt.

This would be because the older certificates were for a slightly different set of domains. For example your cert expiring on the 28 Dec is for domains

           DNS:aerofly-sim.de
            DNS:blog.eehmke.de
            DNS:eehmke.de
            DNS:mail.aerofly-sim.de
            DNS:mail.eehmke.de
            DNS:owncloud.eehmke.de
            DNS:wiki.aerofly-sim.de
            DNS:www.aerofly-sim.de
            DNS:www.ccd-ev.de
            DNS:www.eehmke.de

but you have renewed the cert for the domains

           DNS:aerofly-sim.de
            DNS:baustunden.eehmke.de
            DNS:blog.eehmke.de
            DNS:cloud.daec-berlin.de
            DNS:daec-berlin.de
            DNS:eehmke.de
            DNS:ftv.eehmke.de
            DNS:lilienthaler-online.de
            DNS:lists.daec-berlin.de
            DNS:mail.aerofly-sim.de
            DNS:mail.daec-berlin.de
            DNS:mail.eehmke.de
            DNS:mail.lilienthaler-online.de
            DNS:maps.daec-berlin.de
            DNS:owncloud.eehmke.de
            DNS:sft.daec-berlin.de
            DNS:wiki.aerofly-sim.de
            DNS:www.aerofly-sim.de
            DNS:www.daec-berlin.de
            DNS:www.eehmke.de
            DNS:www.lilienthaler-online.de

which expires in Feb. Since the domains are different, Let’s Encrypt considers this a different certificate, hence will still send you emails about the old cert.

You can safely ignore the emails in this case.


#5

That’s correct, the set of domains differ, that was intentional. Thanks for looking into it.


#6

But I still get these expiration messages, though I only have renewed the valid set of domains, It starts getting annoying. I want to get rid of them.


#7

Some of the certificate you issued in November aren’t an exact match to your latest certificate, for example this one: https://crt.sh/?id=52470536

You will receive expiration notices for each certificate like that unless the renewed certificate includes the exact same set of domains (no additions, no removals).

Your options are to either unsubscribe from all expiration notices through the link in the notice (and monitor the expiration on your end) or continue to ignore the messages. There’s currently no way to unsubscribe only from expiration notices for specific certificates.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.