DA not in sync with Letsencrypt

[Richard G]

Oke I just got notice of Letsencrypt by email:

Your certificate (or certificates) for the names listed below will expire in
9 days (on 12 Jun 17 18:54 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

mycompany.nl
www.mycompany.nl

But under SSL in Directadmin it says:
Let's Encrypt in use. Auto-renewal in 40 Days.

And a bit lower:

Certificate Hosts ftp.mycompany.nl, mycompany.nl, subdomain.mycompany.nl, www.mycompany.nl
Certificate Expiry Aug 11 21:22:00 2017 GMT

Expiry Aug 11 is indeed 40 days. So why is DA out of sync because I get a message the certicate will expire June 12th?

 

[Kiekeboe100]

Hi,

You probably first got a certificate for mycompany.nl and www.mycompany.nl
Afterwards you added the subdomains subdomain.mycompany.nl and ftp.mycompany.nl

DA will then request a new certificate, but the old one is also still known by Let's Encrypt.
It's the old one that will expire in 9 days (since it won't be renewed).
And the new one will be renewed by DA in 40 days.

Don't know if there is a posibility for DA to revoke certificates before requesting a new one with more subdomains.
if so this might be a feature request.

regards,
Stijn

 

[Richard G]

Hello Stijn.

What you explain could indeed well be the case, indeed some time later I discovered that I forgot subdomain.mycompany.nl and removed letsencrypt and then created one again adding the subdomain to it. I was wondering about that myself too.
But I thought that if you requested full new certificates, the old still valid once would become obsolete or overwritten by Letsencrypt.

If that is not the case we indeed need some form of revoke capability.

But I still have a bit of doubts if that is the case, because you only get 1 key.

Greetings, Richard.

 

[Richard G]

There is a revoke option:
https://www.directadmin.com/features.php?id=1828

However, SSL checks also give the august date as end date. Odd.

 

[DirectAdmin Support]

If the email notice is from LetsEncrypt, and not from DA, it might be something on the LetsEncrypt end of things if the original certificate was re-created a few times.
They could be storing multiple copies of the same certificate setup, so while DA is renewing a newer version, their system also noticed the previous version wasn't updated recently.
Basically, if DA didn't renew the current cert, you might get 2 notices at different times for the 2 different LE requests, even though they might use the same domain for both certificates.

Anyway, we can just confirm things by looking at the contents of the file:

/usr/local/directadmin/data/users/user/domains/domain.com.cert.creation_time

and compare with the start-date of the certificate when viewed through apache. They should be the same.
So if we've confirmed the creation_time file has the same start as the cert, then the expiry should then be valid.
If the email received contradicts this completely, then it's probably just the duplicate request on the LetsEncrypt side of things... and might be able to be ignored.

I think an actual revoke might be required to stop the first request to stop the emails, but DA does not do this.

John

 

[Richard G]

Yes the email notice was from Letsencrypt, that's why I knew something was not in sync, which could indeed welll be on their side.
The original certificate was recreated twice.
Hmmz... It's indeed possible what you say that they also have the original certificate in backup (multiple copies). Let's wait and see what will happen in a couple of days.

I looked at the content of the file, but could not determine the date, because it's not in a normal time notation.
This was the content:

1494714090

I don't know what date that is.

 

[Vaporizer]

That's good as that would be May 13 2017 @ 22:21:30, it is a unix timestamp (based on the number of seconds since Jan 1 1970). What is the expiry date on the actual certificate at the moment?

 

[Richard G]

The expiry date would be:
Certificate Expiry Aug 11 21:22:00 2017 GMT

 

[Richard G]

For future references. I can now confirm that older certificates, when only an addition is done, are saved by Letsencrypt.
My certificate expired today according to another mail from Letsencrypt, but my sites certificat is still working. So it must be an older certificate, an earlier one I created, saved by Letsencrypt, which expired today.

 

[Vaporizer]

Also nifty is the crt.sh website. There you can view all certificates a domain has ever had including old not yet expired let's encrypt certificates.

 

[Richard G]

Oh that's a very great tip!
Thank you Vaporizer.

 

[BBM]

Had a similar issue recently.
Some time ago I was looking into the certs of one of my own websites. Changed something, not sure what again, but noticed the renew date didn't show anymore.
Sure enough, I recently got an email that the cert would expire.
Renewed the certs succesfully manually, but a few days later, I got another email that certs would expire soon.
Renewed the certs again.

Now when looking at the above site, crt.sh, I notice there's now a double number of certs active for my website.

 

[Richard G]

Yes every time you create a new one. And some of the older ones will be remembered by Letsencrypt and will expire at some time, which can create confusion.
It might be better to revoke them before creating new ones. This prevents the confusion.

 

[BBM]

I think I've mentioned it earlier some time ago, but IMO it would be nice to have a quick overview in DA's domains list which domains have active certs.
In addition to that, some kind of (seperate/central?) cert management tool as a part of DA would make dealing with certs a lot clearer, and spot 'stray', useless certs easier.

 

[Erulezz]

I also ran into this issue when Let's Encrypt was first added to DA. I manually renewed a couple of certificates and received expire e-mails for the old (before the manually renewed ones) certificates. Something to be aware of SSLLabs always tells you the correct renew date. Or use this DirectAdmin script I created a while back;

https://github.com/Erulezz/directadmin-letsencrypt-show-domains

With one simple command you can see all the Let's Encrypt certificates active on the server, including the hostname certificate. Creation date, renew dates (based on the default 60 days) etc..

 

[Richard G]

Nice script, that's all according to DA. Would be nice if the expiration date was also included which is also visible in DA.

 

[Erulezz]

I will add the expiration date later this week

 

[zEitEr]

Hello,
I'd suggest that you take actual renewal_days from directadmin.conf:

letsencrypt_renewal_days=`/usr/local/directadmin/directadmin c | grep ^letsencrypt_renewal_days= | cut -d\= -f2`

 

[Erulezz]

Thank you, added it to the script!