Renewal notices for auto-renewing certs

We keep getting these messages:

Your certificate (or certificates) for the names listed below will expire in 7 days (on 2023-06-09). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See Integration Guide - Let's Encrypt for details.

But they are set to auto-renew. Is this just spam to torment sysadmins?

No. 

3 Likes

Also see

And

5 Likes

And, had you posted in Help topic you would have been show form below. If you want help debugging your renewal problem please complete as best you can

========================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

5 Likes

Then what legitimate purpose do they serve? “Warning: pay attention to this thing you already configured to not have to pay attention to” seems designed to torment those of us who have actual things to pay attention to.

Let's Encrypt does not send emails if there isn't a, from the perspective of Let's Encrypt, good reason for it. Please see the documentation linked in the expiry email as well as linked above by Mike.

Note that "a good reason" might be different for Let's Encrypt than for you if you don't understand the "rules" the expiry emailer adheres to. It's all explained in the documentation.

6 Likes

This is more about why I’m getting notices to renew when I am set to auto-renew through my host. Easiest fix will be to just filter these notices into my postmaster spam folder. Occam’s razor.

It seems you haven't read the entire documentation yet, so I'll try to coach you a little bit in the right direction: if you get an expiry email, there is MORE happening than ONLY auto-renewing existing certificates.

6 Likes

Occam's razor also says the most likely explanation is that your auto-renew is failing. Or, at least not working as you expect. Again, if you want help debugging that we need more info from that form.

6 Likes

...because there's no possible way that you misconfigured it, or that it otherwise isn't working. Can you seriously not conceive of that being possible?

4 Likes

The expiry reminders are sometimes controversial because they can have false positives when sysadmins split or merge certificates, or reissue them adding or removing names. (The expiry reminders don't treat this as a "renewal" because they don't know whether the particular changes made are or are not a comprehensive replacement for the original certificate.)

Still, I think that the huge majority of these reminders are true positives, caused by people not setting up autorenewals, or caused by the autorenewals failing somehow (often due to changed DNS records or something).

The certificate-reorganization potential false positive case is mentioned in the documentation and it would be nice if the reminder e-mails could get a little cleverer about this, but there isn't a clear way to eliminate false positives here without also increasing false negatives.

7 Likes

Sure, there are false positives. But OP doesn't seem to have given any thought whatsoever to the possibility that the auto-renewal he thinks he configured isn't working, or done anything to confirm that the cert in question has in fact renewed or been replaced by another that covers the FQDN in question.

Now, of course, it's possible that's been done--but OP hasn't said anything to suggest it's the case.

5 Likes

Right-o: worked just fine for several years with no changes or updates whatsoever. I give up, spam it is.

Fine, see you in a few weeks when your cert has expired.

5 Likes

So you never modify existing certificates?

5 Likes

Never.

There must have been a change.

If you want to know which one, please either provide the hostname or hostnames mentioned in the expiry email, or check on crt.sh yourself to see the certificate history for those hostnames yourself.

I expect a little bit of coorporation otherwise I must conclude this thread is just a troll.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.