On 28 May 2017 at 12:50, Alexander Burger <a...@software-lab.de> wrote:
> Thanks Tomas,
>> I got these emails too and everything worked well for me.
> OK, this is reassuring.
>> Maybe added or removed names?
> Yeah, maybe ... ;)
I've always received expiry-reminders for old certs, irrespective of
whether they've already been replaced by new certs on any given
servers, and whether the new ones are being used. I think that is just
a consequence of keeping their service as "stateless" as possible.
They don't/can't keep any indication of whether you are still using
the old cert anywhere, so just in case you are, they don't disable
notifications for it. This is probably because [A] it would become a
scaling-nightmare if they tried, and [B] although they send you new
certs, they can't force you to replace all uses of the old certs with
them straight away (or to reload all services using the old certs -
like email-servers, voip-servers, websocket servers, etc - in addition
to the web-server). I configure various servers' TLS with symlinks to
the latest LE cert-location and add daemon-reloads as end-hooks to the
LE/certbot cronjob for that reason, but some services don't allow or
misbehave with symlinked certs (I think I remember FreeSWITCH borking
on it at some point, for example).