Let's Encrypt certificate expiration emails

Hi! I have just got a reminder email saying my certs are going to expire in 19 days. The 4 domains I own actually have 56 days to run according to sudo certbot certificates command.

Does this mean that there are still certificates in existence but not actively being used and those certificates are the ones the email is referring to? If so, can I destroy them and prevent the emails being sent to me.

Also, in the email there is this sentence:

See Integration Guide - Let's Encrypt for details.

When I follow that link I see at the top: "Last updated: Aug 8, 2016 ". Is that a problem? I thought various things might have changed since then which would require modified guidance to be issued. The guide says:

This document contains helpful advice if you are a hosting provider or large website integrating Let’s Encrypt, or you are writing client software for Let’s Encrypt.

I do not fit into any of those three categories.

My feature request is that the emails are more targetted to the situation and the recipient. I can see that would require Let's Encrypt to have some insight in to the user's level of expertise and number of certificates they need as well as knowing if a certificate had been deleted by a user and / or was not in use by a user.

...and you have to be aware that there's no possible way for Let's Encrypt to have that insight.

It seems there's a lot of confusion surrounding the expiration notices, but I'm frankly confused about the confusion. It's really quite simple: at some time, you issued a cert for a set of FQDNs (let's call them a.foo.bar, b.foo.bar, and c.foo.bar), that cert is getting close to expiration, and you haven't renewed it. That's all the notice means. The question is why that cert wasn't renewed, and there are several possibilities, including:

  • You don't have an automatic renewal mechanism set up, and rely on those reminders to tell you when to renew
  • Your automatic renewal mechanism isn't working properly for some reason
  • You've replaced the cert in question with one that covers additional FQDNs (e.g., a.foo.bar, b.foo.bar, c.foo.bar, and d.foo.bar)
  • You've replaced the cert in question with one that covers fewer FQDNs (e.g., a.foo.bar and b.foo.bar)
  • You've stopped using that cert altogether, whether or not you've deleted it.

The first two cases require some action on your part; the latter three do not. Which is relevant to your situation is something only you know, and indeed only you can know.

6 Likes

If I did delete a certificate would Let's Encrypt still send me email reminders to renew it?

Yes, certificate deletion is client side, the Let's Encrypt server would have no idea if the cert has been copied 1000 times or deleted completely.

5 Likes

It seems there's a lot of confusion surrounding the expiration notices

I would have thought the most logical explanation for that is that the notices, or the issues they deal with (or both), are confusing.

It's really quite simple

It may be simple for you because you have spent a lot of time on the subject for example dealing with feedback like mine and perhaps have a natural talent for it. I personally have not found anything about Let's Encrypt / Certbot simple.

I am grateful to the help I have had on this forum because without it I would be in a very difficult situation and might have to abandon hosting my own websites on a server administered by myself.

One problem with writing useful documentation is that by the time you are qualified to do it you have probably forgotten what you found confusing when you started out.

I'm starting to believe that this article I wrote a while back needs to be permanently pinned to the top of the help directory:

4 Likes

The What To Do section would be a nice addition to the expiry email or even the Let's Encrypt page.

5 Likes

I do think that article is more helpful than the first link currently in the email which not only is dated 2016 but also is aimed at major users who probably already have a good knowledge of certificates.

If the email included the serial number of the certificate it might be useful as then, if it covers the same domain name as another certificate, the user would be able to check that it was not the certificate they are currently using for that domain.

3 Likes