Recieving renewal reminders for domains I've never seen before


#1

About two months ago, I got a LE certificate for my website. Now I got multiple emails telling me a total of four different certs need to be renewed. Unfortunately, I’m also getting these reminders for 3 domains that I’ve never seen before and that I am not responsible for. To me, this looks like there was something wrong with my hosting provider when these certificates were requested over their admin panel (Plesk).

These emails only contain a link to unsubscribe from any further emails. But I have no good feeling, knowing that there are some LE certs for arbitrary domains which for whatever reason seem to be tied to my email adress. How am I supposed to react to these mails stating that these domains would be under my control? Are there any security implications I should be aware of?


#2

@gutinformatik: Because we don’t require email confirmation on account creation (an intentional decision to make things smoother), it’s entirely possible for someone to sign up and use your address, either by accident or on purpose. It doesn’t create a security risk. One downside though, is that it means that unsubscribing from the bogus notifications means unsubscribing from your real notifications. I’ll try and think of a way to improve that.

I’d like to look into your situation and see if it’s a persistent problem at your hosting provider. Can you provide your domains plus the domains that aren’t yours?

Thanks,
Jacob


#3

Hello Jacob

Thanks for your quick reply. My domain is gutinformatik.ch, the domains I’m getting reminders for (but are not mine) are:
baern16.ch
sandraleon.ch
(plus a third one, that looks like it’s not meant to be public, so I won’t post that one here).

Thanks,
Markus


#4

This seems to be a problem with Plesk’s Let’s Encrypt plugin. There’s an existing issue for this:


#5

The Plesk plugin is quite buggy when it comes to renewal. Somebody else was asking about why they were getting new “-001” versions of their domains created instead of just renewing the existing one. They thought it was Let’s Encrypt’s fault, and thought they had bad documentation.

Hopefully Plesk will sort out their plugin soon. I’m assuming they’re only just recently getting their first batch of renewals coming through.