Renewal email date in error


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domains are:
thebiermans.ddns.net
thebiermans.synology.me

I ran this command:
NA

It produced this output:
NA

My web server is (include version):
Synology NAS DSM 6.2-23739 Update 2

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
DSM 6.2-23739 Update 2

System time
PDT

I recently received an email saying

Hello,

Your certificate (or certificates) for the names listed below will expire in 10 days (on 26 Sep 18 15:58 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

Checking the Synology NAS I saw that the certificates didn’t expire until December. I’m confused as to why I received this email.

Even through they didn’t expire until December, I renewed them again. I got no error and the new renewal date is either the same or a few days later (I forget what the original expiration date was but it was in the same month.)


#2

Hi,

Some device would automatically renew the certificate without the need of user intervention…
Thats happening in your case.

However, let’s encrypt will still send you a email notifying to renew the certificate.

If you scroll down to the bottom of that email, there should be a line stating that if the certificate is renewed, ignore this email.

Thank you


#3

I don’t think you understand the scenario.

I got the email which claimed to require renewal, imminently.
I checked the NAS drive and it said the certificate was valid until December.
Since I have the necessary ports blocked by a firewall, auto renewal does not work.
I opened the ports and tried to renew just to see what would happen.
At best, the renewal moved the date a few days (but as I said the renewal might not have changed the expiration at all since I am more than 30 days from expiration.)

So the question is why did I get the email when Letsencrypt knows when the certificate expires?


#4

Hi @michaelbierman

searching your certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:thebiermans.synology.me&lu=cert_search

You have one certificate which expires 2018-09-26:

https://transparencyreport.google.com/https/certificates/M8eSQca70EzjZBcPRXLgUyn%2FTyn9sLXOIdGFt6MNPGQ%3D

with two names thebiermans.ddns.net thebiermans.synology.me.

But there is a second certificate which expires 2018-12-16:

https://transparencyreport.google.com/https/certificates/ODNgXIeYfcLaUt2lGxNSeisIql%2FaofQayyoIFoxch48%3D

with three names: thebiermans.ddns.net thebiermans.dynamic-dns.net thebiermans.synology.me

So you have two types of certificates - one with two, one with three names. I don’t see which certificate is used, but I think you use the certificate with three names. So you don’t need the certificate with two names, didn’t renew that -> that produces the mail.

So you can ignore the mail.

But: Normally you should have only two active certificates, not 5.


#5

To add a little bit of context, the reason that you got this email is because, as far as Let’s Encrypt can tell, the first certificate (with two names) was not renewed. Instead, you replaced it with a new certificate containing three names. Let’s Encrypt, having no knowledge of how these certificates are used, emailed you to let you know that the certificate with two names was expiring and had not been renewed.


#6

Thanks! That does make sense. I reconfigured things a while back and forgot about that.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.