Notice Cert expires - but it is wrong!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jhsd.ca (and 9 sub domains)

I ran this command: Not applicable

It produced this output:

My web server is (include version): Apache

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes but not applicable

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): We use "Certify The Web" version 6.0.15.0 (which is the latest version).

I just got an e-mail from Lets Encrypt notification claiming our SSL cert expires in 6 days.

When I go to our website, our certificate details show it is good until June 19 2024 (and last auto-renewed on March 21st).

Why is the system sending me an incorrect status about our SSL cert?

Because you did get certs with 10 domain names in it but now your cert only has 9. Let's Encrypt cannot tell that you replaced the older cert so is warning you.

See your cert history with a tool like below. You'll see you used to include a mail subdomain but no longer do.

https://tools.letsdebug.net/cert-search?m=domain&q=jhsd.ca&d=4320

4 Likes

Hi Mike,

Thank you for the quick reply. So will it keep making this false warning from now on? Or will it somehow catch itself up to realize things are ok ? Because that mail domain was removed 2 renewals ago, not just before this March renewal.

1 Like

It shows 2 warnings for such expiring certs. One at 20 days and the last at 7 days before expiry.

To be clear, it is not a false warning. You have a cert containing 10 names that is soon to expire (this one). From LE"s perspective that may be a problem so it sends a friendly warning. Only you can possibly know if that cert is no longer needed.

I think if you read the topic below and then also re-read the email the reasons for this should be clearer.

3 Likes

Hi,

Thank you again for the quick reply. Your link to the CRT page about the certificate.. I am having trouble interpreting what I am looking at there. You say it has 2 warnings for expiring certificates. But when I look at that page I am not seeing something that says there is a warning.

So, are you saying that because the "mail" domain name was removed, LE thinks that 1 domain is at risk of having an expired cert, even though it no longer exists on our cert now?

And this is still the case even though "mail" was removed from our cert in January, and renewals took place both Feb 20th and March 21st without that domain on the Cert?

1 Like

No. it has nothing to do with that single domain name. The warning is about the cert that was issued in Jan and is soon to expire.

It was not "removed" from your earlier cert. The cert issued in Jan still exists. It is not possible for Let's Encrypt to know if you are using that cert somewhere. Only you would know that.

You may have reconfigured your system to no longer need it but the cert still exists. Let's Encrypt saw you issue another cert later with a different set of names. Per the doc link I already provided that looks like a new cert to LE not a replacement.

Again, a "renewal" for this purpose is only when you issue a new cert with the exact same set of domain names in it. Different names means a different cert.

Can you explain what is not clear in the Let's Encrypt doc page I linked which says

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate.

3 Likes

I agree fully with Mike here: there's nothing "wrong" or "false warning" (well, not from Let's Encrypts perspective anyway) here.

The certificate in question has a different set of hostnames compared to the other two certificates after it. Thus Let's Encrypt sends an expiry email accordingly.

If you don't require the exact set of hostnames from the certificate which is about to expire any longer, you can safely ignore the email(s).

1 Like

It can sometimes help to think of a TLS/SSL certificate at any given time like you might an automobile registration or license. When you apply for one of those, you supply certain information to the issuing authority/agency who then issues your document accordingly. When you submit for a renewal, you might need to update some information. In the case of a TLS/SSL certificate, the identity associated with the certificate isn't the common name (CN) as many might think, but the set of domain names called the subject alternative names (SANs). Being a set, the order of the domain names submitted to comprise the SANs is irrelevant, but the domain names actually included in the set are absolutely relevant. Adding or removing a domain name from the set of SANs at renewal is like adding or removing part of one's name from an automobile operator's license at renewal. The issuing authority/agency needs to change the legal identity/name in the document/certificate and thus can treat the renewed document/certificate as a completely different record going forward. This applies even more so to certificates since a "renewed certificate" is nothing more than a new certificate that happens to have the same SANs as an existing certificate, regardless of any differences between the orders of the SANs on the renewed and existing certificate. Expiration notifications or the suppression of them is purely a convenience based on whether a "renewed certificate" happens to have been issued for an existing certificate.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.