Let's Encrypt

Dear Lazyweb:

Why is Let's Encrypt emailing me saying "Your certificates will expire in 10 days" about dnalounge.com? As far as I can tell it doesn't expire until August.

The email lists every domain in that cert except for mta-sts, which was added recently.

"certbot renew" says "Cert not yet due for renewal" for every domain. Version 0.31.0.

Previously, previously.

Tags: , , , ,

14 Responses:

  1. Kazriko says:

    Looks like that was probably your old renewal date, your certificate renewed on the 13th of this month, possibly automatically. Was it sent before the 13th, or after?

  2. mike says:

    I've had Let's Encrypt email me telling me a certificate is going to expire on ${date} the certificate I'm using actually expires later than ${date}. It was because I had obtained a new certificate, with an extra Subject Alt Name and not done anything about invalidating the old one. You say mta-sts was added recently. So when you added mta-sts (on 13th May?) that meant getting a new certificate, right? So the expiry email is for the previous certificate. That's my theory anyway. I remember the expiry email giving no information about the certificate other than domain and expiry.

    • jwz says:

      Ok, that makes sense.

      When I have needed to add a new domain or subdomain to my cert, I have done that by just re-running the long "certbot-auto certonly --debug --webroot -w ... -d ..." command with the new domain added, and it overwrites the files. Is there some more correct way to accomplish that?

      • mike says:

        If there's a more correct way I would be happy to see someone else enlighten us both. :)

      • Ewen Mcneill says:

        AFAICT that’s the correct method to change the alt names. But to avoid both versions of the cert being renewed, you need to explicitly revoke the old version of the certificate.

        Part of the problem is that it does not overwrite files when you get a new version of the cert; they live on in the archive directory forever, and they just update symlinks.

        My current approach is to avoid alt names if at all possible, get single domain certs, and rely on SNI to serve the correct cert. There are relatively few browsers still in use that don’t support SNI.


      • Nick Lamb says:

        What you did seems fine. The reminder robot is intentionally very dumb, it will remind you about any set of names for which you had a certificate and it's expiring but nobody has a new certificate from Let's Encrypt for the exact same set of names. If you have an idea you're actually sure is better for everybody you could try proposing it, but don't get your hopes up - there's a reason they went with the very dumb option. The robot will stop bothering you once the certificate it's worried about actually expires.

        You might look at incantations involving --cert-name to be explicit that you are definitely looking to replace a specific certificate, as otherwise it's just guessing and if it ever guesses wrong it may either create a separately named certificate file for the new cert, or contrariwise overwrite one you need with a new one you expected to go into a new file. If you're explicit about which certificate you mean then it's only your fault if you pick the wrong one.

        Sometimes you will see people advising revoking old certs. As a general rule this is either pointless or actively counter-productive. Obviously if scumbags actually broke into your server and copied the private keys then revocation makes some sense (though it isn't terribly effective) but especially for short-lived certs it's nonsense to revoke them just because of routine replacement. Last I knew, it doesn't touch Let's Encrypt rate limits, the reminder robot, or anything else useful.

  3. Ryan Finnie says:

    The emails used to include this which explains why in your situation:

    For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

    No idea why they stopped including that paragraph.

  4. SteveB says:

    I’ve (mostly) stopped bothering with altnames on certificates - they were just a hack to mitigate the fee structure for commercial CAs.

    Now that I’m using LetsEncrypt for almost everything, I just get a whole certificate for each domain and let SNI serve the right one out to a client, but how easy this is depends on what saw you use (haproxy works for me, but ymmv as always).

    I guess this can also help to not tell people that visit http://www.domain1.com that you also host http://www.domain2.com which might matter to some people.

    • Nick Lamb says:

      SANs (which appear in PKIX in 1999 but before that there isn't really any standard for how this works, shoving an FQDN into the X.509 Common Name RDN is definitely a hack) aren't a hack to mitigate the fee structure. If you just wanted such a hack you could (but please don't) have done it already by just documenting a new way to interpret multiple DNs in X.509. There are (historical, please do not attempt at home) examples of this being tried.

      SANs put the machine readable things (IP addresses, DNS names, email addresses) into a machine readable field defined in a sane way for the purpose, e.g. an IPv4 address is 4 bytes, so you can't have an ipAddress SAN for 100.200.300.400 whereas writing that in the Common Name of an X.509 cert "works" fine even though it's nonsense.

      A more actionable example might be DNS where SAN dnsNames are explicitly the "punycode" ASCII DNS name [except the first label might be replaced by an asterisk, the wildcard], and you literally can't write emoji, Cyrillic, Linear B or whatever else might seem fun, because the ASN.1 definition doesn't allow for it. And so when IDNs became a thing this all just magically worked, whereas over in the X.509 Common Name it continues to cause untold chaos, even today in languages like Python, because there's nothing stopping them writing whatever they think you wanted and then good luck if any particular software will agree with that.

      Today popular software including Firefox and Chrome only looks at SANs (in the Web PKI). A certificate you think of as "Not having altnames" actually has exactly one SAN, and the Common Name is just filled out with some textual representation of that SAN as a courtesy. Well written software isn't looking at CN, it's for humans only.

      The "alternative" doesn't mean in the sense of an alias, but in the sense that these names are the Internet's alternative to the X.500 series directory system for which X.509 was conceived. Since the X.500 directory system never really happened this "alternative" is now in reality the only game in town.

  5. Erorus says:

    The other replies here seem correct, but just to be thorough, here is the cert it's warning you about: https://crt.sh/?id=1250961232

  • Previously