On 28 May 2017 at 12:50, Alexander Burger <a...@software-lab.de> wrote: > Thanks Tomas, > >> I got these emails too and everything worked well for me. > > OK, this is reassuring. > >> Maybe added or removed names? > > Yeah, maybe ... ;)
I've always received expiry-reminders for old certs, irrespective of whether they've already been replaced by new certs on any given servers, and whether the new ones are being used. I think that is just a consequence of keeping their service as "stateless" as possible. They don't/can't keep any indication of whether you are still using the old cert anywhere, so just in case you are, they don't disable notifications for it. This is probably because [A] it would become a scaling-nightmare if they tried, and [B] although they send you new certs, they can't force you to replace all uses of the old certs with them straight away (or to reload all services using the old certs - like email-servers, voip-servers, websocket servers, etc - in addition to the web-server). I configure various servers' TLS with symlinks to the latest LE cert-location and add daemon-reloads as end-hooks to the LE/certbot cronjob for that reason, but some services don't allow or misbehave with symlinked certs (I think I remember FreeSWITCH borking on it at some point, for example). -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe