Phishing attack? Let's Encrypt certificate expiration notice for domain "unifi.holgerdanske.com"

Let's Encrypt Help:

I have a VPS running the Ubiquiti Networks UniFi Control Panel. It uses a Let's Encrypt certificate.

I recently received the following e-mail:

-------- Forwarded Message --------
Return-Path: bounce-md_30850198.5f76a0d9.v1-1ea4a4c0bd9a4344b1af975c94e32592@mandrillapp.com
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on november.he.net
X-Spam-Level: X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,URIBL_GREY autolearn=no autolearn_force=no version=3.4.2
Authentication-Results: holgerdanske.com; dkim=pass (no signature error) header.i=@letsencrypt.org header.s=mandrill header.b=ARfGLw8Y; dkim=pass (no signature error) header.i=@mandrillapp.com header.s=mandrill header.b=SYTMw6HB; spf=pass (holgerdanske.com: domain of mandrillapp.com designates 198.2.186.21 as permitted sender) smtp.mailfrom=bounce-md_30850198.5f76a0d9.v1-1ea4a4c0bd9a4344b1af975c94e32592@mandrillapp.com smtp.helo=mail186-21.suw21.mandrillapp.com; dmarc=none (Policy up to you. No DMARC record found) header.from=letsencrypt.org
X-DMARC-Results: none
X-SPF-Results: pass
Received-SPF: pass (holgerdanske.com: domain of mandrillapp.com designates 198.2.186.21 as permitted sender) client-ip=198.2.186.21; envelope-from=bounce-md_30850198.5f76a0d9.v1-1ea4a4c0bd9a4344b1af975c94e32592@mandrillapp.com; helo=mail186-21.suw21.mandrillapp.com;
X-DKIM-Results: pass
X-DKIM-Results: pass
Received: from mail186-21.suw21.mandrillapp.com (mail186-21.suw21.mandrillapp.com [198.2.186.21]) by holgerdanske.com with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384:TLSv1.2:Kx=ECDH:Au=RSA:Enc=AESGCM(256):Mac=AEAD) for dpchrist@holgerdanske.com; Thu, 1 Oct 2020 20:39:06 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mandrill; d=letsencrypt.org; h=From:Subject:Message-Id:List-Unsubscribe:To:Date:MIME-Version:Content-Type:Content-Transfer-Encoding; i=expiry@letsencrypt.org; bh=OJMYZ+hO1sybk9fh9TMkEvKNw+i5rKs/AiuuvQn9hKg=; b=ARfGLw8YQPU5um/zbtQiyUWe1HFRfK5WLY73yv8hTpoWfe1M42MgherUE8cN1PjnEhUcOt2jSKdB tRxYRD8cZFGyvkDJZG9ddeqdI4FHGFUNjROLQ8/G1tFQCsx5vzGwZmpeVKjI+RBhfEqAOwC/5T1H GIYnR+OmE2I0qJm4Mn0=
Received: from pmta02.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail186-21.suw21.mandrillapp.com id heqgdk174bkh for dpchrist@holgerdanske.com; Fri, 2 Oct 2020 03:39:05 +0000 (envelope-from bounce-md_30850198.5f76a0d9.v1-1ea4a4c0bd9a4344b1af975c94e32592@mandrillapp.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1601609945; h=From : Subject : Message-Id : List-Unsubscribe : To : Date : MIME-Version : Content-Type : Content-Transfer-Encoding : From : Subject : Date : X-Mandrill-User : List-Unsubscribe; bh=OJMYZ+hO1sybk9fh9TMkEvKNw+i5rKs/AiuuvQn9hKg=; b=SYTMw6HBBe+fy7QTwQYfMx8xhkOvmWPGESpN64wlB03o1n41HgMiL0d35Ej/N+N+nI953s Ke+wSGYPRLeMjBLvTC6u1lK7GRfLexRX42azdZLNB8Fr/itViDbuAIe74HvLKTZFSa9hFqhH KKAZdoTsHdHz+alYrnVNKUt/bRack=
From: Let's Encrypt Expiry Bot expiry@letsencrypt.org
Subject: Let's Encrypt certificate expiration notice for domain "unifi.holgerdanske.com"
Return-Path: bounce-md_30850198.5f76a0d9.v1-1ea4a4c0bd9a4344b1af975c94e32592@mandrillapp.com
Received: from [66.133.109.36] by mandrillapp.com id 1ea4a4c0bd9a4344b1af975c94e32592; Fri, 02 Oct 2020 03:39:05 +0000
Message-Id: 20201002T033905.4029604641624973401.expiry@letsencrypt.org
List-Unsubscribe: mailto:unsubscribe-md_30850198.5f76a0d9.v1-1ea4a4c0bd9a4344b1af975c94e32592@mailin1.us2.mcsv.net?subject=unsub
To: dpchrist@holgerdanske.com
X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com
X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30850198.1ea4a4c0bd9a4344b1af975c94e32592
X-Mandrill-User: md_30850198
Date: Fri, 02 Oct 2020 03:39:05 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 22 Oct 20 03:42 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

unifi.holgerdanske.com

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=30850198&id=1ea4a4c0bd9a4344b1af975c94e32592.x6WqZlHaPq36WlsYUDSYql9Vj5w%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dd%2A%2A%2A%2A%40h%2A%2A%2A%2A.%2A%2A%2A

Regards,
The Let's Encrypt Team

When I log into the server and check the certificate:

2020-10-24 18:02:27 root@unifi ~

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: unifi.holgerdanske.com
Domains: unifi.holgerdanske.com
Expiry Date: 2021-01-01 23:45:58+00:00 (VALID: 69 days)
Certificate Path: /etc/letsencrypt/live/unifi.holgerdanske.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/unifi.holgerdanske.com/privkey.pem


Note:

1 The certfiicate expiration date in the e-mail and the certificate expiration date on the server do not match.

  1. The "unsubscribe" link URL in the e-mail message is not letsencrypt.org.

Is the e-mail a phishing attack?

David

1 Like

Welcome to the Let's Encrypt Community, David :slightly_smiling_face:

Your expiration email appears to be legitimate to me.


You have an old certificate expiring October 22.
You have a new certificate expiring January 1.

You received an expiration email because your certificate was renewed within 20 days of expiration.

If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.


Let's Encrypt uses Mandrill.

Our email provider, Mandrill, has a manual mechanism that we still need to automate.


Nope. :slightly_smiling_face:

2 Likes

Thank you for checking, and for providing an explanation with citations.

David

2 Likes

The e-mail was sent before the renewal, so yes, it's correct.

2 Likes

The message sat in my Junk folder for ~3 weeks and I renewed during that
time. So, my bad -- I confused myself. :-/

David

1 Like

Never too old to learn new stuff!

1 Like