Undesired notifications / crontab


#1

I am using Letsencrypt since 2 years and always receive notifications about certificates expiring.

This week I received a notification the certificate will expire in 19 days. Just 3 days before an update was tried but was declined.

I don’t want to generate traffic and unnecessary updates which anyway get declined. I get always notifications and are unable to setup a crontab so that I don’t get notifications.

I think the 90 days certificate validity is not so well chosen. When it would be 110 days, everybody could setup an easy 3 months update interval, if you miss that 5 days later Letsencrypt would send a notification and after 110 days deletes the certificate.

When sticking to the 90 days certificate validity it should be possible to update the certificate after 60 days so someone can setup an easy 2 months recurring crontab.

Please have a look into the certificate validity, notification day setting and allowed update date so that we do not generate unnecessary updates and don’t get always notifications.


#2

Hi,

Even if you setup a crontab, the message is still going to send to your mailbox.

What you could do is, click on the unsubscribe link, then you’ll never receive a new email from Let’s encrypt (expiring notices)

That is possible if you run a force renew every 60 days.


#3

It is perfectly possible to do this. It’s recommended, however, to simply run certbot --renew daily–it will check your certs, and (by default) renew them when there’s less than 30 days’ validity remaining. You should never get a renewal notice by email in normal operation.


#4

Can you explain more about your situation?

What ACME client are you using? What are your domains? What kind of cron job is configured?

What do you mean? What tried to update? What was it updating? What declined it? Why was it declined?


#5

The correct form of this command is certbot renew (just in case @pezuratuz is interested in acting on this suggestion!).


#6

Disabling notifications is not what I want, when I have a problem, I would like to be notified of an expiring certificate.

cat /etc/cron.d/certbot

0 */12 * * * root test -x /usr/bin/certbot && perl -e ‘sleep int(rand(3600))’ && certbot -q renew

Running twice daily, but checks if it has to renew.

I think their is much more wrong:
2018-06-17 10:48:17,265:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-07-17 07:07:21 UTC.

2018-06-17 10:48:42,012:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/domain.com/privkey3.pem.

And I see the new key and is loaded in apache:
Certificate expires on Saturday, 15. September 2018.

On Sunday, 17 June at 14:04 (12:04 UTC, so 1 hour and 20 minutes later) I got the message: Your certificate (or certificates) for the names listed below will expire in 19 days (on 07 Jul 18 12:02 +0000).

These where the updated certs:
-rw------- 1 root root 1704 Jan 28 05:30 0009_key-certbot.pem
-rw------- 1 root root 1704 Apr 8 15:02 0010_key-certbot.pem (mail notification uses the date of this certificate, instead of the one created on Apr 18)
-rw------- 1 root root 1704 Apr 18 10:05 0011_key-certbot.pem (this one was loaded in apache when certbot verified)
-rw------- 1 root root 1704 Jun 17 12:48 0012_key-certbot.pem (updated from certbot)


#7

What’s the real domain?

What does “certbot certificates” show?


#8

Found the following certs:
Certificate Name: minerva11.mine.bz
Domains: minerva11.mine.bz
Expiry Date: 2018-09-15 09:48:28+00:00 (VALID: 85 days)
Certificate Path: /etc/letsencrypt/live/minerva11.mine.bz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/minerva11.mine.bz/privkey.pem
Certificate Name: swissluxuryhair.com
Domains: swissluxuryhair.com swissluxuryhair.ch www.swissluxuryhair.ch www.swissluxuryhair.com
Expiry Date: 2018-09-15 09:48:41+00:00 (VALID: 85 days)
Certificate Path: /etc/letsencrypt/live/swissluxuryhair.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/swissluxuryhair.com/privkey.pem


Wrong expiration date in email
#9

Is it this certificate that’s expiring, then?

https://crt.sh/?id=388950103

You replaced it with one or two different certificates with different combinations of names. As the emails explain, the email alert system only considers it a “renewal” if a new certificate with the exact same names is issued. Even though everything is okay, and the certificates you’re using now are being renewed, you’ll get warnings about that old certificate until it expires.

It’s just a huge coincidence that the timing aligned so that you got an email about the old certificate on the same day as you renewed the new certificates. :sweat:


#10

Thanks for your explanation.

From 2018-04-08 I created/rearanged my certificates several times. On 2018-04-18 they were splitted.
https://crt.sh/?q=swissluxuryhair.com
https://crt.sh/?q=minerva11.mine.bz

Everything is steady since 2018-04-18, bot have the same expiry date 2018-09-15, I will keep an eye on it.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.