Notifications for abandoned certificates

When i replace a certificate for “domain www.domain” by a certificate for “domain www.domain sub.domain”, i will still get reminder e-mails to renew the old one. Until it’s really expired the emails are getting more and more frequent.

There is a unsubscribe link, but i guess this unsubscribes for all e-mails not just for this certificate?

That's correct. Let's Encrypt does not necessarily know your intention when you add or remove subdomains, so it cannot be certain which of the certificates is currently in use and which was replaced. As a result, the expiration mailer is erring on the side of caution and will send out a notification for each separate combination of domains that has appeared on one of your certificates. Once the certificate has expired, you will stop receiving notifications.

That's correct. It's possible that Let's Encrypt might add an option to mute notifications for certain certificates in the future, but there are no definite plans for that at the moment (as far as I'm aware of).

Maybe you could add a --extend --replace option, to tell LE that the extended certificate will replace the old one.

@allo, it would need a new ACME protocol feature – we don’t have a straightforward way to tell the CA arbitrary things. But I agree that this could be pretty useful.

This is a minor annoyance for me as well. I wonder, if I explicitly revoke the old version of the cert, will that prevent the notifications? I’m reluctant to experiment with this because what if it revokes the wrong cert. But I do see a revoke command in certbot.

You use revoke --cert-path anyway, so you can point it at live/correctdomain/cert.pem and are almost sure it’s the right certificate. Possibly the right way to do it anyway? On the other hand, the old certificate isn’t insecure and you may even revert to it.
And possibly some users copy the certs to other servers (i.e. dedicated mail server) and revoking the old cert immediately would break the mailserver until the next time the copy script is running.

So revoking may be okay as simple solution, but a --replace action needs to take care if revocation is wanted.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.