Solved Letsencrypt expiration date not in sync with DA date (DA is too late)

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
13,868
Location
Maastricht
I've seen this before, and now I see it a second time, so I think it's time to ask.

Normally I don't get mails from Letsencrypt, but it seems I get them more often now, about SSL certificates which will expire soon.

Today I got another one:
Your certificate (or certificates) for the names listed below will expire in 1 days (on 27 Feb 22 13:02 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
Click to expand...

Since this also happens when domains are stopped, I doublechecked because I was sure this domain was not stopped and then I see this on the SSL page:
Let's Encrypt in use. Auto-renewal in 8 Days.

Certificate ExpiryApr 5 08:08:46 2022 GMT

So I use my script to see when this was create, but could not find it. So it seems creation date is not present on the server.

Can these things go wrong when a domain is moved from another server via admin backup/transfer? Shouldn't happen right?
 
And did you check the certificate yourself to confirm LE isn't talking about an older certificate? *Just thinking out loud ;)*
 
Good idea, but how do I do that? Normally I used that script from Erulezz for that, but that didn't even show the newly created one yet.
 
Just checked with a google search thing for Letsencrypt, which will end 15 may this year and found this:
16 dec. 202116 mrt. 2022
which was another one so to see. An older one.

And found this:
5 jan. 20225 apr. 2022
which was the on which was running in DA at this moment.

And now the newest:
25 feb. 202226 mei 2022
which is the one I just created this evening.

But nothing ending february 27th as the LE mail stated.
 
I get these too. I believe they are related to creating a new certificate manually while the old one is still good. Only last week I got a 1 day expiration warning from LE and the certificate still has five or six weeks to go. I think LE keeps track of the date a certificate is created and knows when it expires. You could have multiple good certificates on record with them and one just expired while the one you are actually using is still good.
 
BillyS said:
I think LE keeps track of the date a certificate is created and knows when it expires.
Click to expand...
Yes that is the case, but that is also the odd thing. LE knows and keep track of the certificate and this is valid for 90 days.
DA knows that too and keeps track and renews the certificates 60 days after creation, so way before LE would see that it expires.
There is no way that LE is keeping track of DA expiration dates. And even if that would be the case, DA said there were still 8 days before renew would start.

You can indeed have multiple good certificates on record and they it's indeed possible to get these mails. But when looking I didn't see any certificate which would expire the 27th of february calculating Letsencrypts 90 days.

I checked with crt.sh and that domain had certificates create in july 17 and the next december 16th. Counting 90 days is march 16th, so I'm confused as to why that mail was issues by LE.
Can't find anything there either which says february anywhere. So it looks like DA is doing it correctly, but the LE mail is not correct.
 
Yeah, when I looked in my case, I do see the certificate they were flagging as expiring. You can see the active one was created well before the prior one expired.

1645840582518.png
 
I don't understand what you mean by this. Ofcourse you see experiation dates in february as one older was created in november, which is 90 days, so that is correct.
But like I said, the creation dates of the domain I'm talking about, were in july and december, so no expiration dates in february like the email said.
They are march 16th 2022 and april and now also may...

Wait I'll make screenshot. I masked the id's and the name because it's a customer of my admin so I don't know if the customer would like to see the name visible.

afbeelding.png


As you can see, no february dates.
 
Sorry, I was not clear. I was saying in my case it did make sense to get the letter. Because I really did have a certificate from LE that expired only three days ago. So their warning email did make sense in my case - even though the website also had a certificate that was valid until April 5th. I am not sure why this is happening in your case.
 
Yep it's odd.
But investigating this, and checking with crt.sh it seems DA is working correctly and it's an LE issue. So maybe it's best to put this topic to solved as it's not a DA issue. And then see if it happens again, ask over at LE how this can happen.
 
Richard G said:
Yep it's odd.
Click to expand...
This:
"Can these things go wrong when a domain is moved from another server via admin backup/transfer? Shouldn't happen right?"
Click to expand...

brain storm:
Is the domain still also on old server somewhere? ( at user or whatever)
And how does DA handle backup, restore , transfers to other server , then a renew ? while the basic certs based on are ofcourse different.

And keeping also the old info somewhere , or kind of in between solution used at transfer.

Do you see this only at transfered domains?

Revokes in between manual or automatic after backup restore / transfer ? ( even because of main (basic) certs / keys from server changed because of bug or update to old or wrong ones there) You had support for something key related (mailproblem) in the past.....
 
Last edited:
ikkeben said:
Is the domain still also on old server somewhere? ( at user or whatever)
Click to expand...
No. And even if it was, then the certificate had to be visible via the crt.sh website which also shows the old certificates from 2020 when then domain was on the other server.

I've seen more of these kind of mails latelely but didn't give it much attention as they are from my admin and I thought the domain expired again. But now it's the 3rd time in short time on this server so now I had a further look and found this.

Another domain was longer on this server and not transferred, had the same and had also to be manually renewed.

So now I'm keeping an eye on this a bit stricter when I will get new mails.

Marking this as solved because it seem this is not a DA error, since the dates in crt.sh and DA are equal.
 
You must log in or register to reply here.
Back
Top