Re: Let's Encrypt Expiry
On Sun, May 28, 2017 at 01:29:43PM +0300, Rowan Thorpe wrote: > I've always received expiry-reminders for old certs, irrespective of > whether they've already been replaced by new certs on any given > servers, and whether the new ones are being used. I think that is just > a consequence of keeping their service as "stateless" as possible. > ... Thanks for the explanation! Makes sense to me now. ♪♫ Alex -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: Let's Encrypt Expiry
On 28 May 2017 at 12:50, Alexander Burgerwrote: > Thanks Tomas, > >> I got these emails too and everything worked well for me. > > OK, this is reassuring. > >> Maybe added or removed names? > > Yeah, maybe ... ;) I've always received expiry-reminders for old certs, irrespective of whether they've already been replaced by new certs on any given servers, and whether the new ones are being used. I think that is just a consequence of keeping their service as "stateless" as possible. They don't/can't keep any indication of whether you are still using the old cert anywhere, so just in case you are, they don't disable notifications for it. This is probably because [A] it would become a scaling-nightmare if they tried, and [B] although they send you new certs, they can't force you to replace all uses of the old certs with them straight away (or to reload all services using the old certs - like email-servers, voip-servers, websocket servers, etc - in addition to the web-server). I configure various servers' TLS with symlinks to the latest LE cert-location and add daemon-reloads as end-hooks to the LE/certbot cronjob for that reason, but some services don't allow or misbehave with symlinked certs (I think I remember FreeSWITCH borking on it at some point, for example). -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: Let's Encrypt Expiry
Thanks Tomas, > I got these emails too and everything worked well for me. OK, this is reassuring. > Maybe added or removed names? Yeah, maybe ... ;) ♪♫ Alex -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: Let's Encrypt Expiry
I got these emails too and everything worked well for me. The email also said: For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message. Maybe added or removed names? It looks like picolisp.com was renewed on 2017-05-21, see https://crt.sh/?q=picolisp.com Tomas -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Re: Let's Encrypt Expiry
Follow-up: Looking at the certificates of 7fach.de and picolisp.com, they both expire on August 18th. The mail said "on 16 Jun 17 15:43 +". So was this a false alarm? I do not remember creating some other picolisp.com certificate. Confusing ... On Sun, May 28, 2017 at 09:12:37AM +0200, Alexander Burger wrote: > Hi all, > > is here any Let's Encrypt expert? > > I got a mail from Let's Encrypt saying: > >Your certificate (or certificates) for the names listed below will expire > in >19 days (on 16 Jun 17 15:43 +). Please make sure to renew your >certificate before then, or visitors to your website will encounter errors. > > picolisp.com > > > Back then, I had created two certificates for 7fach.de and picolisp.com with > >certbot certonly --standalone -d 7fach.de -d picolisp.com > > Both certificates were created, and work well. > > > Then, a weekly cronjob renews it with > >certbot renew --standalone > > > This works well on other machines where I have only a single certificate. > > And on this machine the cert for 7fach.de was renewed a while ago, and now it > says: > >Cert not yet due for renewal >Processing /etc/letsencrypt/renewal/7fach.de.conf >The following certs are not due for renewal yet: > /etc/letsencrypt/live/7fach.de/fullchain.pem (skipped) >No renewals were attempted. > > It seems that 7fach.de was renewed, but not picolisp.com > > What am I doing wrong? > > ♪♫ Alex > > -- > UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
Let's Encrypt Expiry
Hi all, is here any Let's Encrypt expert? I got a mail from Let's Encrypt saying: Your certificate (or certificates) for the names listed below will expire in 19 days (on 16 Jun 17 15:43 +). Please make sure to renew your certificate before then, or visitors to your website will encounter errors. picolisp.com Back then, I had created two certificates for 7fach.de and picolisp.com with certbot certonly --standalone -d 7fach.de -d picolisp.com Both certificates were created, and work well. Then, a weekly cronjob renews it with certbot renew --standalone This works well on other machines where I have only a single certificate. And on this machine the cert for 7fach.de was renewed a while ago, and now it says: Cert not yet due for renewal Processing /etc/letsencrypt/renewal/7fach.de.conf The following certs are not due for renewal yet: /etc/letsencrypt/live/7fach.de/fullchain.pem (skipped) No renewals were attempted. It seems that 7fach.de was renewed, but not picolisp.com What am I doing wrong? ♪♫ Alex -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe