Re: Let's Encrypt Expiry

2017-05-28 Thread Alexander Burger 
On Sun, May 28, 2017 at 01:29:43PM +0300, Rowan Thorpe wrote:
> I've always received expiry-reminders for old certs, irrespective of
> whether they've already been replaced by new certs on any given
> servers, and whether the new ones are being used. I think that is just
> a consequence of keeping their service as "stateless" as possible.
> ...

Thanks for the explanation! Makes sense to me now.

♪♫ Alex

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: Let's Encrypt Expiry

2017-05-28 Thread Rowan Thorpe 
On 28 May 2017 at 12:50, Alexander Burger  wrote:
> Thanks Tomas,
>
>> I got these emails too and everything worked well for me.
>
> OK, this is reassuring.
>
>> Maybe added or removed names?
>
> Yeah, maybe ... ;)

I've always received expiry-reminders for old certs, irrespective of
whether they've already been replaced by new certs on any given
servers, and whether the new ones are being used. I think that is just
a consequence of keeping their service as "stateless" as possible.
They don't/can't keep any indication of whether you are still using
the old cert anywhere, so just in case you are, they don't disable
notifications for it. This is probably because [A] it would become a
scaling-nightmare if they tried, and [B] although they send you new
certs, they can't force you to replace all uses of the old certs with
them straight away (or to reload all services using the old certs -
like email-servers, voip-servers, websocket servers, etc - in addition
to the web-server). I configure various servers' TLS with symlinks to
the latest LE cert-location and add daemon-reloads as end-hooks to the
LE/certbot cronjob for that reason, but some services don't allow or
misbehave with symlinked certs (I think I remember FreeSWITCH borking
on it at some point, for example).

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: Let's Encrypt Expiry

2017-05-28 Thread Alexander Burger 
Thanks Tomas,

> I got these emails too and everything worked well for me.

OK, this is reassuring.

> Maybe added or removed names?

Yeah, maybe ... ;)

♪♫ Alex

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: Let's Encrypt Expiry

2017-05-28 Thread Tomas Hlavaty 
I got these emails too and everything worked well for me.
The email also said:

   For details about when we send these emails, please visit
   https://letsencrypt.org/docs/expiration-emails/. In particular, note
   that this reminder email is still sent if you've obtained a slightly
   different certificate by adding or removing names. If you've replaced
   this certificate with a newer one that covers more or fewer names
   than the list above, you may be able to ignore this message.

Maybe added or removed names?

It looks like picolisp.com was renewed on 2017-05-21, see
https://crt.sh/?q=picolisp.com

Tomas

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: Let's Encrypt Expiry

2017-05-28 Thread Alexander Burger 
Follow-up:

Looking at the certificates of 7fach.de and picolisp.com, they both expire on
August 18th. The mail said "on 16 Jun 17 15:43 +".

So was this a false alarm? I do not remember creating some other picolisp.com
certificate. Confusing ...


On Sun, May 28, 2017 at 09:12:37AM +0200, Alexander Burger wrote:
> Hi all,
> 
> is here any Let's Encrypt expert?
> 
> I got a mail from Let's Encrypt saying:
> 
>Your certificate (or certificates) for the names listed below will expire 
> in
>19 days (on 16 Jun 17 15:43 +). Please make sure to renew your
>certificate before then, or visitors to your website will encounter errors.
> 
>   picolisp.com
> 
> 
> Back then, I had created two certificates for 7fach.de and picolisp.com with
> 
>certbot certonly --standalone  -d 7fach.de  -d picolisp.com
> 
> Both certificates were created, and work well.
> 
> 
> Then, a weekly cronjob renews it with
> 
>certbot renew --standalone
> 
> 
> This works well on other machines where I have only a single certificate.
> 
> And on this machine the cert for 7fach.de was renewed a while ago, and now it
> says:
> 
>Cert not yet due for renewal
>Processing /etc/letsencrypt/renewal/7fach.de.conf
>The following certs are not due for renewal yet:
>  /etc/letsencrypt/live/7fach.de/fullchain.pem (skipped)
>No renewals were attempted.
> 
> It seems that 7fach.de was renewed, but not picolisp.com
> 
> What am I doing wrong?
> 
> ♪♫ Alex
> 
> -- 
> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Let's Encrypt Expiry

2017-05-28 Thread Alexander Burger 
Hi all,

is here any Let's Encrypt expert?

I got a mail from Let's Encrypt saying:

   Your certificate (or certificates) for the names listed below will expire in
   19 days (on 16 Jun 17 15:43 +). Please make sure to renew your
   certificate before then, or visitors to your website will encounter errors.

  picolisp.com


Back then, I had created two certificates for 7fach.de and picolisp.com with

   certbot certonly --standalone  -d 7fach.de  -d picolisp.com

Both certificates were created, and work well.


Then, a weekly cronjob renews it with

   certbot renew --standalone


This works well on other machines where I have only a single certificate.

And on this machine the cert for 7fach.de was renewed a while ago, and now it
says:

   Cert not yet due for renewal
   Processing /etc/letsencrypt/renewal/7fach.de.conf
   The following certs are not due for renewal yet:
 /etc/letsencrypt/live/7fach.de/fullchain.pem (skipped)
   No renewals were attempted.

It seems that 7fach.de was renewed, but not picolisp.com

What am I doing wrong?

♪♫ Alex

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe