Received email about certificate expiration

I received the email below. I lists my domain names.
But I don't think the email is correct. F.e. one of the domain names is liefseva.nl. When I check the certificate myself, then I see that it does not expire tomorrow (see screenshot below).

So what is wrong? I never received these emails from let's encrypt before.

Hello,

Your certificate (or certificates) for the names listed below will expire in 0 days (on 24 Nov 21 05:43 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.

Your certificate history shows that you used to have one certificate that covered both liefseva.nl and www.liefseva.nl, but now have two separate certificates from Let's Encrypt, one for each of the names. Also, you now have certificates from ZeroSSL, and your screenshot above shows that that's the one you're actually using.

So, that's why you got the email: Your certificate covering both names is expiring, and (as the email says in it, after the portion you quoted) if you add or remove names that's a "different" certificate so you're getting expiration notices for the old one. If you're confident that your server is now sending the right certificates, then the reminder can be safely ignored. It is a little weird to be using both ZeroSSL and Let's Encrypt, though, so you may want to ensure that your systems are doing what you expect.

Some other resources that might help:

3 Likes

Ah! Well then caddy and traefik both implement different ways-of-working here. Because I recently switched from Traefik to Caddy as my reverse proxy.

Furthermore, even if the names are exactly the same: If the CA has been changed (from LE to ZeroSSL) then you will be receiving emails from LE for all the LE certs as those begin to expire.

Probably just that all new acme.sh installs now default to ZeroSSL.
[that can be set to use LE if you like]

3 Likes

Maybe a stupid question, but which one is better? (just home-server user here)

Well, "better" based on what criteria? They're both equally trusted in major browsers and such. Let's Encrypt is run by a non-profit, whereas ZeroSSL isn't and is probably hoping that you end up eventually using one of their paid offerings. Let's Encrypt is primarily a service targeted at automated systems directly (by which I mean, the only access is through the ACME API and there's no web interface or built-in monitoring or whatnot, with the only support being this community forum), whereas ZeroSSL is designed to be a bit more user-friendly for people looking for a more traditional CA experience (meaning that they have a web console and offer more direct support & sales offerings). But I wouldn't say any one of those is inherently better than the other (though others here might).

5 Likes

If you are only serving new(er) clients then I'd say both are equally trusted and would work equally.
If you have a very wide range of clients (new, old, and very old), then you might want to use ZeroSSL.
[which could be simpler to deal with such a scenario (for the time being)]

2 Likes

As an aside, the website help.zerossl.com uses certificates from Let's Encrypt (I kid not)

Certificate chain
 0 s:/CN=help.invoicely.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

SANs:
help.eversign.com
help.invoicely.com
help.zerossl.com
5 Likes