Staging certificate messages?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.teanow5pm.co.uk

I ran this command: n/a

It produced this output: n/a

My web server is (include version): WAMP

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WAMP settings

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme v2.1.13.978.

Hi,

I am receiving inexplicable email messages from Let's Encrypt Staging Expiry Bot. There have been two emails so far, received on 2.7.2021 and on 12.7.2021.

The MESSAGES say:

You issued a testing cert (not a live one) from Let's Encrypt staging environment. This mail takes the place of what would normally be a renewal reminder, but instead is demonstrating delivery of renewal notices. ...

The only info I found on "staging certificate expiration" in this thread (linked) does not clarify 'for me' the reason I'm getting the messages. The thread posits that someone could be using my email address for renewing another domain.

According to the automatic "staging" notices, the renewal target is (see below):

DNS Names: www.teanow5pm.co.uk
Expiration Date: 22 Jul 21 08:41 +0000

The domain is correct, the expiration date is not.

Note, www.teanow5pm.co.uk is a mock-up site, as I'm running www.teanow5pm.co.uk in a developer environment on WAMP. The actual expiry on the issued certificate running on the WAMP server is 9.15.2021. "22 July 21 08:41 +0000" is not the real expiration date.

Apart from someone using my email address, what else might explain the emails from the Staging Expiry Bot?

Thanks – Tom

I should also mention that the domain is live on a Siteground server in London, but the certificate renewal in question is for a non-live version of the domain on my WAMP server at home.

Well, if it's your domain and your email address, it was probably you who set it up.

Did you do any testing in the Let's Encrypt staging environment at all, months ago while configuring your certificates? What ACME clients have you used?

Some ACME clients, like certbot, don't send an email address when registering accounts in the staging environment (I think in part to mitigate confusing emails like the one you're getting), but I don't know how universal the practice is. I know I get staging expiration warning emails because my client does have the email set on my staging account, but they're for certificates that I know I made in the staging environment so they don't surprise me.

Hi. Thanks for the reply.

I ran some tests a few months ago. The logs for those are still on my system. The dates were in April, on 22.04.2021 and 23.04.2021. Since then no new logs have been added, indicating that wherever the "staging" certs came from, it wasn't done from my location.

I can only think that the Siteground live server tested a Let's Encrpyt cert. These are automatically generated Let's Encrypt certificates for the domain, which I don't keep track of. It happens behind the scenes, but A) there should be no need for Siteground to run tests, and B) they wouldn't have been set up to send notifications to my email. Yet, somehow I am getting the messages.

This thread (link already posted above) says not to worry, nothing terrible could come of these not actually trusted certificates. Okay, I won't worry, but who could be doing this?

I would say it was you:

Plus 90 days equals...?
[sometime in the very near future]

It couldn't have been me.

• The client generally creates a log file for "staged" tests. On 2 July and 12 July no logs exist.
• The renewal period on the "staged" certs, according to my configuration, is 55 days and not 90 days, so the expiry was already a while ago.

Both the email messages I received – 2 July and 12 July – contain the number of days to expiration. 10 days to expiration and 19 days.

Details:

Expiration Date: 22 Jul 21 08:41 +0000
Days to Expiration: 10

It might be an illegal activity, however harmless you think it is.

Hello Tom.

Please keep the knowledge in the following topic in mind, my friend:

Given that the ACME process was carefully designed to specifically prevent issuance of certificates to unauthorized parties and that those of us responding to you in this thread have collectively helped many thousands of people with certificate-issuance concerns, you can be fairly certain that if there were a strong concern, we would be the first to sound the alarm. That said, we do appreciate your vigilance and concern here and genuinely hope that both continue unabated. If these staging certificates were not deliberately (or accidentally) created by you, I believe they were almost certainly created by an entity to which you have delegated some significant degree of trust (your DNS provider or hosting provider). It would be necessary for such an entity to also know your email address for you to receive the expiry notifications, which further limits the field of suspects.

PS:

Unfortunately, you have hit into an area of disadvantage for purposes of investigating foul play. Tools like https://crt.sh are not available for staging certificates.

Hi Griffin,
Thank you.

The information about "expiration emails" in your linked thread is edifying. I might be experiencing emails sent twenty days, ten days and one day before a certificate expires (bullet point):

• sends an expiration email twenty days, ten days, and one day before a certificate expires

The method by which Let's Encrypt sends expiration messages in this instance overlooks my valid certificate, as against the "staged" certificate, that continues to to be renewed. In other words, the Expiry Bot fails to recognize the valid certificate, so an expiration email is sent; the "staged" certificate and the live certificate are not considered as duplicates.

Perhaps this is wrong. Let's Encrypt (bullets from the thread link):

• considers a certificate to be a duplicate of another certificate if both certificates have the exact same list of subject alternative names (SANs), regardless of order

or:

• considers a certificate to be renewed if a newer duplicate of that certificate has been issued

I'm surprised neither of these conditions are met, however, so be it. I accept this as a sound explanation for the expiry emails.

In future I will know that "staged" expiry messages may be safely ignored. Very helpful, a good insight to have. Thanks.

As I believe you've already concluded, "production" certificates and "staging" certificates are handled and counted completely separately. This is absolutely necessary in order to avoid "staging" certificates and their generation being counted towards the rate limits for "production" certificates and their generation. Since the two types of certificates are governed by their own rate limits, they must be considered separate.

I wasn't aware "staging" worked with an expiry. I think previously there were no expiry emails sent.

The two courses of action here then are to renew the "staging" certificate manually before it expires, or to let it lapse, which I will do. One question I still have regards whether "staged" certificates can be deleted in such a way that expiry notices are not emailed. For instance, the next time I want to run a "staged" test, will I be generating a new certificate or renewing an existing certificate?

You can never actually delete a certificate from Let's Encrypt's history, so that's not a viable solution. Removing your email address from your ACME staging account is the true solution. In lieu of that, clicking the unsubscribe link in the staging email will unsubscribe that email address for an entire year for staging certificates.

If you generate a staging certificate covering the exact same set of SANs as any previously-issued staging certificate, the new certificate will be considered a renewal of the previously-issued certificate. There is no material distinction between a new certificate and a renewal certificate.

Just in case it comes up, revocation is almost never an answer to anything.

Be careful, I think that both staging and production use the same email platform, so unsubscribing from a staging email might unsubscribe that email address from getting production notifications as well.

You may be right.

@lestaff

Clarification needed: Does unsubscribing from staging expiry emails result in unsubscribing from production expiry emails?

Well, there's this note at the end of the staging expiration notice I got last week: (emphasis added; URL redacted)

If you are receiving this email in error, unsubscribe at: [«url»] Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other production or staging certificates.

Or alternatively, not registering an email address at all the next time you end up creating a new staging account.

Yes, unsubscribing will affect all messages from any environment.

Revoking your staging certificates once they’re no longer needed should prevent you from receiving reminder emails about them. We don’t encourage revoking as a routine practice (unless necessary) in production, but in staging, do whatever’s convenient!

What about issuing a "staged" certificate without an email?

I don't know if leaving out the --emailaddress parameter is possible, or will it result in a failed test?

The command using win-acme would look something like this:

f:\letsencrypt\wacs.exe --force --target manual --host www.domain.com --validation ftp --webroot ftp://ftp.domain.com/domain.com/public_html --username i@domain.com --password ###### --store pemfiles --pemfilespath C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Certificates --test --accepttos --notaskscheduler --verbose

I suspect an email address cannot be omitted.

And unsubscribing also unsubscribes "production" emails.

Anyway, I'm pleased that renewals and new certificates are the same; that I also did not know.

Thanks.

As an ACME client author myself (CertSage), I can absolutely assure you that you don't need to register an email address when creating an ACME account. Whether the particular ACME client you are using allows such operation is up to the author of that client.

rmbolger is the author of a (more well known) ACME client (Posh-ACME).

certbot has a parameter (--register-unsafely-without-email) specifically for this purpose.

Thanks for the definitive clarification fellas. Ironically, I performed a massive purge of my primary email box about a week ago, which included a number of staging expiry emails. So, the answer to my question was sitting in my own email box... a week ago.

I'm not really familiar with win-acme particulars, but it's definitely possible to register an ACME account without an email address from a protocol perspective. I do it with all my staging accounts using Posh-ACME specifically because I don't care about expiration on those certs. It's also possible to remove an email address from an existing ACME account which would accomplish the same goal.