I think I asked a similar question before to this, but I can't find a way of searching my own posts. Anyway, therefore I need to ask again.
I received an email saying
Hello,
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.
Then a lot of domains are listed. Now bitcoinhelp.uk was indeed expired about 2 years ago, but the rest have been recently renewed. As far as I can determine with
https://www.ssllabs.com/ssltest/analyze.html?d=dhars.org.uk
the domain dhars.org.uk does not expire until 1 month and 10 days. So why am I getting emails saying it is about to expire. I have not checked them all, but of those I have checked, with the exception of bitcoinhelp.uk , nothing is due to expire soon.
|Valid from |Sun, 29 May 2022 11:03:10 UTC|
bitcoinhelp.uk dhars.org.uk g8wrb.co.uk kirbymicrowave.co.uk kirkbymicrowave.co.uk kirkbymicrowave.com www.bitcoinhelp.uk www.dhars.org.uk www.g8wrb.co.uk www.kirbymicrowave.co.uk www.kirkbymicrowave.co.uk www.kirkbymicrowave.com
1 Like
Rip
July 17, 2022, 2:14am
2
I have looked at your sites. Your certs are good to go. Is it possible that you have added or removed a domain from your cert? This could relate to the email you received . The system doesn't know if you make a change, it only remembers what you requested the last time you renewed. So if your domains are current and your certs are fresh, you might not have to worry about the email.
7 Likes
Try clicking your name at the top of one of your posts in this thread. Then click your name again on the pop-up that appears. View the Activity tab for all your activity. Also, the Search has an advanced option you can limit to certain posters.
I agree with rip, it looks like all your domains are sending out certs for just their own domain name. You used to get a cert with many names combined. It is this combined cert that is expiring which it doesn't look like you use. So just consider the email a friendly warning.
Perhaps this tool will help you visualize what is happeninghttps://tools.letsdebug.net/cert-search?m=domain&q=dhars.org.uk&d=2160
8 Likes
Yes, I know what happened there. I did have a certificate that showed bitcoinhelp.co.uk as the main one, with the other 10 or so domains less prominent, which was not what I wanted for my company.. So now I have one certificate per domain, rather than a certificate covering multiple domains.
I would like to avoid the spurious emails, as having them will mean I am likely to miss a more important notification. I assume revoking the certificate is one way, but is there a better way? I would much rather stop the reminders, rather than just ignore them.
2 Likes
Osiris
July 17, 2022, 10:32am
5
It's not possible to unsubscribe from individual certificate expiry notifications.
6 Likes
The particular certificates do not appear to be managed by certbot - they were probably generated on another server, to which I no longer have access. However, I do have a backup, in the form of a tar file, of the directory on the other server. Is there any way I can revoke the certificate, to stop the reminders?
root@foobar:/etc# certbot certificates
Found the following certs:bitcoinhelp.uk bitcoinhelp.uk www.bitcoinhelp.uk dell-uk-sales.co.uk dell-uk-sales.co.uk www.dell-uk-sales.co.uk dhars.org.uk dhars.org.uk www.dhars.org.uk g8wrb.co.uk g8wrb.co.uk www.g8wrb.co.uk kirbymicrowave.co.uk kirbymicrowave.co.uk www.kirbymicrowave.co.uk kirkbymicrowave.com kirkbymicrowave.com www.kirkbymicrowave.com www.dhars.org.uk www.dhars.org.uk www.kirkbymicrowave.co.uk www.kirkbymicrowave.co.uk kirkbymicrowave.co.uk www.rftestkit.com www.rftestkit.com rftestkit.com
1 Like
Osiris
July 17, 2022, 1:00pm
7
If you have the public key then yes, you can revoke the certificate.
5 Likes
Where would I look to find the correct file(s) and how would I revoke them? These are the files I have
1 Like
Osiris
July 17, 2022, 1:15pm
9
In the appropriate /live/ directory.
Please see the Certbot user guide about revoking certificates .
6 Likes
In case you don't know - you only receive 3 emails per cert that you don't renew. They appear 20, 10, and 1 days before expiry . They won't persist forever like some reminder emails from purchased services.
9 Likes
danb35
July 17, 2022, 6:42pm
11
I don't believe revoking the cert will stop the reminders. You'll get a total of three (20 days before expiration, 10 days, and 1 day, IIRC), and then they'll stop, because that cert will be expired. I don't think the juice is worth the squeeze here, particularly with the risk of revoking the wrong cert.
6 Likes
Osiris
July 17, 2022, 6:46pm
12
It will, see the Boulder source:
// sequentially fetch the certificate details. This avoids an expensive
// JOIN.
var serials []string
_, err := m.dbMap.WithContext(ctx).Select(
&serials,
`SELECT
cs.serial
FROM certificateStatus AS cs
WHERE cs.notAfter > :cutoffA
AND cs.notAfter <= :cutoffB
AND cs.status != "revoked"
AND COALESCE(TIMESTAMPDIFF(SECOND, cs.lastExpirationNagSent, cs.notAfter) > :nagCutoff, 1)
ORDER BY cs.notAfter ASC
LIMIT :limit`,
map[string]interface{}{
"cutoffA": left,
"cutoffB": right,
"nagCutoff": expiresIn.Seconds(),
"limit": m.limit,
},
)
8 Likes
system
August 16, 2022, 6:47pm
13
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.