Letsencrypt renewal informations data

Hi Friends,
I am receiving on 05/05/2019 22:39 e-mail from Letsencrypt where notify me the expiration certificate for domain 3x1t.org, but in the meantime certbot+cron has already renewed it.
I’ve seen a lot of post around this issue, but excuse me for my difficulty in understanding, but I would to know if is it possible to customize this behaviour, maybe to receiving these emails only if the renewal is not successful within the last 10/15 days validity?

Also, could you suggest me a trick to check on the fly if and when certbot+cron did the renewal correctly (for my heart… :stuck_out_tongue: )?

Thanks thanks!!

Davide

Hi @danjde

checking your active certificates there are a lot ( https://check-your-website.server-daten.de/?q=3x1t.org#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-10 10:02:47 2019-07-09 10:02:47 3x1t.org, autoconfig.3x1t.org, autodiscover.3x1t.org, converse.3x1t.org, lists.3x1t.org, mail.3x1t.org, server.3x1t.org, smtp.3x1t.org, upload.3x1t.org, upload.server.3x1t.org, www.3x1t.org, www.converse.3x1t.org
12 entries
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-06 07:15:48 2019-07-05 07:15:48 3x1t.org, autoconfig.server.3x1t.org, autodiscover.server.3x1t.org, converse.3x1t.org, lists.3x1t.org, mail.3x1t.org, server.3x1t.org, smtp.3x1t.org, upload.3x1t.org, upload.server.3x1t.org, www.3x1t.org, www.converse.3x1t.org
12 entries
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-26 20:12:33 2019-06-24 20:12:33 3x1t.org, autoconfig.server.3x1t.org, autodiscover.server.3x1t.org, lists.3x1t.org, mail.3x1t.org, server.3x1t.org, smtp.3x1t.org, upload.3x1t.org, upload.server.3x1t.org, www.3x1t.org
10 entries
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-08 20:23:38 2019-06-06 20:23:38 3x1t.org, autoconfig.3x1t.org, autodiscover.3x1t.org, conference.3x1t.org, conference.server.3x1t.org, lists.3x1t.org, mail.3x1t.org, server.3x1t.org, smtp.3x1t.org, www.3x1t.org
10 entries
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-08 19:52:35 2019-06-06 19:52:35 3x1t.org, autoconfig.server.3x1t.org, autodiscover.server.3x1t.org, conference.3x1t.org, conference.server.3x1t.org, lists.3x1t.org, mail.3x1t.org, server.3x1t.org, smtp.3x1t.org, www.3x1t.org
10 entries
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-03-01 10:12:10 2019-05-30 10:12:10 3x1t.org, conference.3x1t.org, conference.server.3x1t.org, lists.3x1t.org, mail.3x1t.org, server.3x1t.org, smtp.3x1t.org, www.3x1t.org
8 entries
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-02-24 20:36:59 2019-05-25 20:36:59 3x1t.org, conference.3x1t.org, conference.server.3x1t.org, lists.3x1t.org, server.3x1t.org, www.3x1t.org
6 entries
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-02-16 15:59:51 2019-05-17 15:59:51 3x1t.org, conference.3x1t.org, conference.server.3x1t.org, server.3x1t.org, www.3x1t.org
5 entries

12 entries, 10 entries, 8 entries etc.

Letsencrypt doesn’t know which certificate you use.

If a certificate isn’t renewed (newer certificate with the same set of domain names), a mail is sent.

So if you change the set of domain names -> you will have a mail.

2 Likes

Thanks JuergenAuer for your kind explanation!
Now it’s more clear for me :stuck_out_tongue_winking_eye:
Anyway, in general, perhaps for the first year should be disabled the email warning, since several changes are made, at least in my case…

Thanks again!

Davide

1 Like

Sorry if I return to the subject, but two thing I would like to understand better:

  1. Is it correct that I have these active certificates or should I revoke the obsolete ones (which became obsolete as a result of the addition of domains)?
  2. Is it correct the way I add domains or should I run a different command that somehow avoids generating a new certificate every time?

Thanks again!

Davide

The only reason for you to revoke a certificate is if you believe the private key has been compromised.

Once created, certificates are immutable. Thus, the only way to “change” them (add or remove domains, etc.) is to generate a new cert.

You can delete these not longer used certificates.

certbot certificates

then

certbot delete [certificatename]

Well, but if I run

certbot certificates

obtain only one certificate, and not all listed by “check-your-website.server-daten.de
is it right this?

Thanks again!

Davide

Your certificates

3x1t.org, autoconfig.3x1t.org, autodiscover.3x1t.org, 
converse.3x1t.org, lists.3x1t.org, mail.3x1t.org, 
server.3x1t.org, smtp.3x1t.org, upload.3x1t.org, 
upload.server.3x1t.org, www.3x1t.org, www.converse.3x1t.org
12 entries 

are looking like they are not created manual. Looks like a control-panel generated certificate.

If you see only one certificate, then it’s ok. Olders may be in the archive folder or --expand or something else was used.

This certificate (with 12 entries) was created automatically by my own cron daemon, using the following code:

certbot certonly --cert-name server.3x1t.org --webroot -w /var/www/letsencrypt --email 3x1t@3x1t.org --deploy-hook /usr/local/bin/certbot-deploy-hook --expand -d server.3x1t.org -d 3x1t.org -d www.3x1t.org -d lists.3x1t.org -d smtp.3x1t.org -d mail.3x1t.org -d autodiscover.server.3x1t.org -d autoconfig.server.3x1t.org -d upload.server.3x1t.org -d upload.3x1t.org -d www.converse.3x1t.org -d converse.3x1t.org -d _xmpp-server._tcp.conference.3x1t.org -d _xmpp-server._tcp.conference.3x1t.org -d _xmpp-server._tcp.conference.server.3x1t.org -d _xmpp-server._tcp.conference.server.3x1t.org

Yes, but why Letsencrypt email reminder send my notification expiry about certificates that I cannot see using " certbot certificates"?
And Eventually can I “purge” Letsencrypt email reminder for those obsolete certificates (that I cannot see)?

Many thanks again!! :slight_smile:

Davide

That’s simple. You use the --expand parameter, so Certbot overrides the existing configuration.

But Letsencrypt doesn’t know what your client is doing.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.