Received first expiration notice 2.5h in advance

Issuance Tech
#1

Hi, this is more of an FYI / bug report. I received the first expiration notice a tad late:

Your certificate (or certificates) for the names listed below will expire in 0 days (on 15 Sep 21 09:36 +0000).

Snippet from the raw mail:

...
Received: from mail145-12.atl61.mandrillapp.com (mail145-12.atl61.mandrillapp.com [198.2.145.12])
by medusa.psb.ugent.be with ESMTP id 18F4vklS008078-18F4vklU008078
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <...>; Wed, 15 Sep 2021 06:57:47 +0200
...
Received: from pmta06.mandrill.prod.atl01.rsglab.com (localhost [127.0.0.1])
by mail145-12.atl61.mandrillapp.com (Mailchimp) with ESMTP id 4H8SdP3tJ3z5Ql0r1
for <...>; Wed, 15 Sep 2021 04:57:45 +0000 (GMT)

My domain is: orcae.psb.ugent.be. I was using certbot, but due to a bug in my ansible playbook it was no longer deployed.

4 Likes
#2

Yeah I had the same thing three days ago, but forgot to bring this up here:

A while ago, I replaced a certificate with a different one (forgot one name initially, then added it later) and I only received one expiry email which was for the ~1 day remainder, stating:

[...] Your certificate (or certificates) for the names listed below will expire in 0 days (on 12 Sep 21 17:03 +0000). [...]

[Email date header stated email was send on Sun, 12 Sep 2021 08:03:02 +0000, received about two seconds later]

The email for twenty days and ten days was never received on my end. I double checked all logs, all mailservers were fully operational and no related email was blocked.

We had also another report recently, suggesting that they had similar behaviour.

It does look like something weird is going on with the expiry mailer.

2 Likes
#3

I can confirm this, I too received an expiry e-mail this Tuesday with just a few hours left on the clock.

@lestaff Could you please take a look at this? Seems legit.

3 Likes
#4

Hmm. I don't know as it's particularly helpful for me to bring it up, but if you want another data point: When I've gotten reminder emails (for when I've added/removed names or no longer needed a server name), I've only ever (that I can still find in my inbox at least) received a 20-day and a 10-day reminder, but no 1- or 0-day reminders. My most recent (production) emails were from February, though, so perhaps things have changed since then.

It doesn't look like I've ever had a 1- or 0-day reminder from the staging environment, either (most recently I got a 20- and 10-day reminder in July), but it's possible that the staging environment is intentionally configured differently so I don't know as that's a useful thing to look at.

2 Likes
#5

Looking at some recent staging expiry e-mails it seems it sends just a single mail with varying days until expiry.

3 Likes
#6

It's also worth checking your own email systems spam filtering policy. Many services auto-reject email IPs which have been marked as spam, which is extremely common for services like mandrill or sendgrid. The IPs are generally shared and eventually an IP will be reported for spam which is then distributed to various email spam blockers and your emails will be variously rejected.

LE probably see a significant percentage of emails rejected in this way and all they can really do is wait for the IP to be moved out of production in the pool of mandrill servers. They can pay for dedicated IPs but each IP needs to be "warmed up" to not get blocked by default, then of course someone can come along an report it as spam the you're back to square one.

This is why some ACME clients (such as the one I develop) can report to a status reporting API which in turn can also send notifications and log to a dashboard, you can also set webhooks etc to call for failures etc. Likewise with certbot has post validation hooks but I don't know much about those.

The other method is to periodically check your renewals manually.

4 Likes