Why am I getting expiration notification for deleted certificates?

I successfully used certbot delete to delete certain certificates that I had used (for subdomains, I found out I can use a wildcard certificate instead, which I replaced all certs in nginx configurations with).

But I'm still getting e-mail notifications for expiring certs. Why is that?

1 Like

Deleting is a thing that you do on your own system. (And if you no longer need the certificates, is a right thing to do.)

But there are still plenty of auditing and confirming that you haven't told Let's Encrypt that the keys are compromised and whatnot, so the certificates still "exist", in the sense that they're public, they've been logged for Certificate Transparency, and Let's Encrypt is giving OCSP responses that they haven't been revoked. (And even if you did revoke them, none of that really goes away, it's just that the OCSP responses need to say that they've been revoked instead.)

And the reasoning for sending out expiration emails is that it may be that you deleted them from one server but were intending to set up an equivalent certificate on some other server. Really the Let's Encrypt servers don't know if any certificate was intended to be renewed or not, but many people find it helpful that emails are sent out in the case that their automated renewals and monitoring fail, even though it means that people who specifically intended to not renew a certificate (and adding or removing a name means that the existing one isn't really being renewed) get some emails that don't really help them out.

5 Likes

So the correct course of deleting would be to revoke them prior to that?

I suppose once expired I won't hear from them again. Thanks for the answer

1 Like

If you revoke them, I believe that you wouldn't get the email. But be aware that revoking means more work on the Let's Encrypt server side, not less, and that revoking really isn't necessary or helpful except in the cases of (1) key compromise, or (2) you no longer owning the domain name (like if you sold it to somebody else).

But yes, once expired Let's Encrypt won't bug you about those specific certificates again. If you want to avoid all Let's Encrypt email for a year, you can click the unsubscribe button on the email. If you want to avoid all Let's Encrypt email forever, you can remove the email address on the ACME account (though not all ACME clients make doing so simple). But if you avoid getting email from Let's Encrypt, then you also avoid getting any other notifications (which aren't regularly sent, but like if they needed to revoke your certificate due to an incident on their side, or if you were using a client that used an old API that was going away, those kinds of things they do send mail about but you won't get if you've unsubscribed).

I get annoyed a bit too at times; I just got an email for an expiring certificate where I had added a name, so I was kind of expecting it but still wanted to go double-check that my systems were working right. But I'd rather get the emails than not. There have been various proposals to make the expiration emails "smarter" in various ways, but as with all engineering there are tradeoffs to understand and not always the time that one would hope for. Let's Encrypt has a really small staff, considering how big their operation is.

4 Likes

I'm not annoyed, letsencrypt is a wonderful service and the notification e-mails are a nice feature. Have a nice day good sir.

3 Likes

No, the correct course of action is to just ignore the email.

Revoking a Certificate creates a burden on the entire SSL ecosystem - from the LetsEncrypt servers that handle certificate revocation, to the servers that proxy/cache revocation lists, to clients that check for validity.

5 Likes

FYI: end leaf certificates from Let's Encrypt only have OCSP revocation checking, no CRL to be updated.

4 Likes

Though Mozilla would really like Let's Encrypt to publish CRLs:

Based on current discussions, it is possible that Let's Encrypt will publish CRLs in the future (though maybe behind closed doors). Apple will require a similar thing starting on October 1, 2022.

(Sorry for taking this thread off-topic. In case the dicussion continues we might wanna move this)

4 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

3 Likes
3 Likes

I love this forum!
The topic is solved on post #2 and yet it still gets eight more posts (after that)!
[this post doesn't count - LOL]

2 Likes