Hi! I have just got a reminder email saying my certs are going to expire in 19 days. The 4 domains I own actually have 56 days to run according to sudo certbot certificates command.
Does this mean that there are still certificates in existence but not actively being used and those certificates are the ones the email is referring to? If so, can I destroy them and prevent the emails being sent to me.
When I follow that link I see at the top: "Last updated: Aug 8, 2016 ". Is that a problem? I thought various things might have changed since then which would require modified guidance to be issued. The guide says:
This document contains helpful advice if you are a hosting provider or large website integrating Let’s Encrypt, or you are writing client software for Let’s Encrypt.
I do not fit into any of those three categories.
My feature request is that the emails are more targetted to the situation and the recipient. I can see that would require Let's Encrypt to have some insight in to the user's level of expertise and number of certificates they need as well as knowing if a certificate had been deleted by a user and / or was not in use by a user.
...and you have to be aware that there's no possible way for Let's Encrypt to have that insight.
It seems there's a lot of confusion surrounding the expiration notices, but I'm frankly confused about the confusion. It's really quite simple: at some time, you issued a cert for a set of FQDNs (let's call them a.foo.bar, b.foo.bar, and c.foo.bar), that cert is getting close to expiration, and you haven't renewed it. That's all the notice means. The question is why that cert wasn't renewed, and there are several possibilities, including:
You don't have an automatic renewal mechanism set up, and rely on those reminders to tell you when to renew
Your automatic renewal mechanism isn't working properly for some reason
You've replaced the cert in question with one that covers additional FQDNs (e.g., a.foo.bar, b.foo.bar, c.foo.bar, and d.foo.bar)
You've replaced the cert in question with one that covers fewer FQDNs (e.g., a.foo.bar and b.foo.bar)
You've stopped using that cert altogether, whether or not you've deleted it.
The first two cases require some action on your part; the latter three do not. Which is relevant to your situation is something only you know, and indeed only you can know.
It seems there's a lot of confusion surrounding the expiration notices
I would have thought the most logical explanation for that is that the notices, or the issues they deal with (or both), are confusing.
It's really quite simple
It may be simple for you because you have spent a lot of time on the subject for example dealing with feedback like mine and perhaps have a natural talent for it. I personally have not found anything about Let's Encrypt / Certbot simple.
I am grateful to the help I have had on this forum because without it I would be in a very difficult situation and might have to abandon hosting my own websites on a server administered by myself.
One problem with writing useful documentation is that by the time you are qualified to do it you have probably forgotten what you found confusing when you started out.
I do think that article is more helpful than the first link currently in the email which not only is dated 2016 but also is aimed at major users who probably already have a good knowledge of certificates.
If the email included the serial number of the certificate it might be useful as then, if it covers the same domain name as another certificate, the user would be able to check that it was not the certificate they are currently using for that domain.