Renewal mails for already renewed certificates


#1

I got several mails to renew certificates, which are already renewed (by issuing new ones, no letencrypt renew, yet).


#2

Yes, it’s a known issue ( or several issues ) - see Expiration Emails (Too Many, Unnecessary, etc.)


#3

For the record, I just received:

Your certificate (or certificates) for the names listed below will expire in 19 days (on 25 Oct 16 00:06 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

for a domain (the only one so far to get this error out of many domains) that was successfully renewed automatically on 9/25 (cert now showing expiration of 12/24).


#4

tHi @laurenweinstein1, is it possible that the domain was renewed for a slightly different set of names? Most confusing versions of this message so far have resulted from cases where people added or removed a name, and then the reminder script doesn’t know how to tell how the new cert is related to the old cert.

If the existing versions are literally identical, it could be a previously unknown bug. Are you able to find the different versions in crt.sh? (when it’s up and running… it appears to have been down for two days!)


#5

Hi. I’m unsure what crt.sh script you’re referring to. The particular cert in question is for (e.g.) domain.com and www.domain.com, with the former URL redirecting to the latter. Thanks.


#6

@schoen is talking about the https://crt.sh/ web site, a Certificate Transparency monitor, not a shell script :slight_smile: . If it’s still unreliable, Google operate one too, although it has less weird/ cool features than Rob’s crt.sh
https://www.google.com/transparencyreport/https/ct/


#7

Just updating on this – I received a few minutes ago another “certificate
is expiring” warning (in 9 days in this case) for that same domain. The
actual certificate was issued (renewed) on 9/25 and is good through 12/24.

–Lauren–


#8

Just checked on crt.sh. The most recent issuance of the cert is there. The
other entries are for my initial test over a couple of days in July.

2016-09-25 2016-09-25C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3


#9

Hi Lauren, would you be willing to let me know which certs they are? I could try to look into the behavior of the reminder script.


#10

Of course. I’ll contact you off-forum. Thanks.

–Lauren–


#11

Hi Lauren, I looked at the issuance history for the domain that you mentioned. What I think is happening is that you previously had a certificate (that’s now near expiry) for only example.org. You later replaced this with a new certificate for both example.org and www.example.org, which you’ve successfully renewed. However, the scripts don’t know that the www.example.org+example.org certificate is a replacement for the example.org certificate and intend to warn you that soon you will no longer have a valid certificate for only example.org.

It’s clear that this behavior could be confusing, and I’m happy to hear suggestions for changing it, but we don’t have a notion (yet?) of tracking how certificates are related on the CA side and so the reminder script’s current interpretation is that a certificate was not renewed unless a newer certificate exists for exactly the same set of names, which is not the case for your example.org-only cert.


#12

This seems reasonable, since I believe that “example.org” was my initial
process test domain for Let’s Encrypt. Perhaps the current interpretation
could be loosened a bit for the most common cases at least. That is, if a
cert that incorporates both foo.com and www.foo.com was successfully
renewed, the need to renew any lingering “foo.com-only” cert would seem
unlikely. In the meantime, is there something I can do on this end to kill
off those warnings from that earlier (unused) cert, without disrupting the
newer cert in use? Thanks!


#13

To my knowledge, there’s not yet a way to unsubscribe from reminders for a single certificate on an account while continuing to receive reminders for others. Sorry about that.


#14

What about killing that initial certificate completely? There’s no reason for it even to exist any more. Thanks.


#15

You can revoke it, but revocation also currently doesn’t interact with renewal reminders (though maybe it should because that would provide a way to put a stop to these spurious reminders).


#16

And obviously, I don’t want to disrupt the active certificate that was successfully renewed. What will happen when the old unused cert actually expires? Will there be a final expired notice and then will the reminder system go quiet regarding that cert? Tnx.


#17

Yes, I believe the reminder system will stop reminding you after the cert in question has expired.


#18

That will work. Thanks again.


#19

Had the issue today for my certificate which was automatically updated on the 4th of June. I’m pretty sure that I didn’t change the subject underway.

Google transparency shows me two certificates. The initial one and the renewed. Both have CN=www.domain.com as the subject and www.domain.com and domain.com as matching DNS names.

I had some warnings during renewal. I had :80 and :443 in one configuration file. Solved that. Not sure why that could have caused an issue with the renewed certificate.

2017-06-04 01:22:08,191:WARNING:certbot_apache.display_ops:Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each \
vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories.
2017-06-04 01:22:08,192:WARNING:certbot_apache.tls_sni_01:Falling back to default vhost *:443...
2017-06-04 01:22:08,200:WARNING:certbot_apache.display_ops:Encountered vhost ambiguity but unable to ask for user guidance in non-interactive mode. Currently Certbot needs each \
vhost to be in its own conf file, and may need vhosts to be explicitly labelled with ServerName or ServerAlias directories.
2017-06-04 01:22:08,200:WARNING:certbot_apache.tls_sni_01:Falling back to default vhost *:443...

#20

Probably the old one is still valid. If the next renewal works, you can ignore the mails and they will stop when the old one expired and the current one will not trigger such mails. Each certificate that is not recognized as renewed (i guess this means same CommonNames AND the old one is less than 30 days valid) currently triggers such mails.