Let's Encrypt certificate expiration notice


#1

According to @jsha in Expiration Emails (Too Many, Unnecessary, etc.), I should start a thread when I receive an email which isn’t supposed to arrive.

I just received an email saying my certificate for domain mygroup.travel is about to expire, in 19 days. However, when I check with SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=mygroup.travel) it still has well over 2 months before the certificate isn’t valid anymore.

Thanks for taking a look.


Help us test renewal with "letsencrypt renew"
#2

I think it’s fixed for certificates issued after March 17th, but there’s an open ops issue to make it work for older certificates as well. At least that’s what I got from this post:


#3

Yep, @pfg is correct. We need to do a backfill of the FQDNSets table, which will get us the behavior we want both for rate limiting and for renewal emails. Sorry that’s taken longer than I expected. I spoke too soon on the other thread about when the renewal email fixes should take effect.


#4

The backfill of the FQDNSets table is now done (since Thursday April 12) and you shouldn’t be getting expiration notices for certificates you’ve renewed.


#5

Looks like it’s still having issues - got this yesterday - for a domain that been renewed already…

Your certificate (or certificates) for the names listed below will expire in 0 days (on 23 May 16 06:38 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

roojs.com
www.roojs.com


#6

crt.sh shows a number of non-expired certificates for that domain. However, they are not a perfect match - there’s an additional domain (master.roojs.com) on those certificates. Let’s Encrypt only looks at certificates with the exact same set of domain names when determining the expiration date.


#7

Yes, it looks like when I initially set this up, I only did it for 2 domains, but when I finished I decided on using the same certificate for 3 domains.

so initially created a certificate for
roojs.com www.roojs.com

Then later on changed it to
roojs.com www.roojs.com master.roojs.com

I would agree with you, trying to handle this or similar situations is a bit of a can of worms, so probably not worth changing anything (the only result of it is that I get an extra email once… - not really a issue)

It may be worth adding some notes to the automated email

  • getting this email, but have already renewed? Let’sencrypt tracks set’s of domains, if you subsequently created a certificate with a different set of domains, then just ignore this message.