Phishing attack? Let's Encrypt certificate expiration notice for domain ""

Let's Encrypt Help:

I have a VPS running the Ubiquiti Networks UniFi Control Panel. It uses a Let's Encrypt certificate.

I recently received the following e-mail:

-------- Forwarded Message --------
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
X-Spam-Level: X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,URIBL_GREY autolearn=no autolearn_force=no version=3.4.2
Authentication-Results:; dkim=pass (no signature error) header.s=mandrill header.b=ARfGLw8Y; dkim=pass (no signature error) header.s=mandrill header.b=SYTMw6HB; spf=pass ( domain of designates as permitted sender); dmarc=none (Policy up to you. No DMARC record found)
X-DMARC-Results: none
X-SPF-Results: pass
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;;;
X-DKIM-Results: pass
X-DKIM-Results: pass
Received: from ( []) by with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384:TLSv1.2:Kx=ECDH:Au=RSA:Enc=AESGCM(256):Mac=AEAD) for; Thu, 1 Oct 2020 20:39:06 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mandrill;; h=From:Subject:Message-Id:List-Unsubscribe:To:Date:MIME-Version:Content-Type:Content-Transfer-Encoding;; bh=OJMYZ+hO1sybk9fh9TMkEvKNw+i5rKs/AiuuvQn9hKg=; b=ARfGLw8YQPU5um/zbtQiyUWe1HFRfK5WLY73yv8hTpoWfe1M42MgherUE8cN1PjnEhUcOt2jSKdB tRxYRD8cZFGyvkDJZG9ddeqdI4FHGFUNjROLQ8/G1tFQCsx5vzGwZmpeVKjI+RBhfEqAOwC/5T1H GIYnR+OmE2I0qJm4Mn0=
Received: from ( by id heqgdk174bkh for; Fri, 2 Oct 2020 03:39:05 +0000 (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=mandrill; t=1601609945; h=From : Subject : Message-Id : List-Unsubscribe : To : Date : MIME-Version : Content-Type : Content-Transfer-Encoding : From : Subject : Date : X-Mandrill-User : List-Unsubscribe; bh=OJMYZ+hO1sybk9fh9TMkEvKNw+i5rKs/AiuuvQn9hKg=; b=SYTMw6HBBe+fy7QTwQYfMx8xhkOvmWPGESpN64wlB03o1n41HgMiL0d35Ej/N+N+nI953s Ke+wSGYPRLeMjBLvTC6u1lK7GRfLexRX42azdZLNB8Fr/itViDbuAIe74HvLKTZFSa9hFqhH KKAZdoTsHdHz+alYrnVNKUt/bRack=
From: Let's Encrypt Expiry Bot
Subject: Let's Encrypt certificate expiration notice for domain ""
Received: from [] by id 1ea4a4c0bd9a4344b1af975c94e32592; Fri, 02 Oct 2020 03:39:05 +0000
X-Report-Abuse: Please forward a copy of this message, including all headers, to
X-Report-Abuse: You can also report abuse here:
X-Mandrill-User: md_30850198
Date: Fri, 02 Oct 2020 03:39:05 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


Your certificate (or certificates) for the names listed below will expire in 20 days (on 22 Oct 20 03:42 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See for details.

For any questions or support, please visit Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at

The Let's Encrypt Team

When I log into the server and check the certificate:

2020-10-24 18:02:27 root@unifi ~

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Expiry Date: 2021-01-01 23:45:58+00:00 (VALID: 69 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/


1 The certfiicate expiration date in the e-mail and the certificate expiration date on the server do not match.

  1. The "unsubscribe" link URL in the e-mail message is not

Is the e-mail a phishing attack?


1 Like

Welcome to the Let's Encrypt Community, David :slightly_smiling_face:

Your expiration email appears to be legitimate to me.

You have an old certificate expiring October 22.
You have a new certificate expiring January 1.

You received an expiration email because your certificate was renewed within 20 days of expiration.

If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

Let's Encrypt uses Mandrill.

Our email provider, Mandrill, has a manual mechanism that we still need to automate.

Nope. :slightly_smiling_face:


Thank you for checking, and for providing an explanation with citations.



The e-mail was sent before the renewal, so yes, it's correct.


The message sat in my Junk folder for ~3 weeks and I renewed during that
time. So, my bad -- I confused myself. :-/


1 Like

Never too old to learn new stuff!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.