2018-01-11, Warning from letsencrypt about outdated SSL certificate#
A team member received a warning from letsencrypt saying that the SSL certificate
beta.mybinder.org was going to expire soon. This was unexpected because
kube-lego to automatically register new SSL certificates for various
mybinder.org. After a few days, we re-checked the SSL
beta.mybinder.org and it seemed to have renewed properly,
so this was a noop from our perspective. However it revealed a few things we
should do differently to make sure this doesn’t happen again.
All times in PST
A team member received an email that our SSL for
beta.mybinder.org was going to expire.
He opened https://github.com/jupyterhub/mybinder.org-deploy/issues/283.
Another team member used the SSL certificate checking website below:
to inspect the current SSL certificate of
beta.mybinder.org. This seemed
to be correctly renewed, and the immediate problem considered resolved.
We received another email saying that both
docs were out
Upon looking at the Google Analytics history, we realized that the date
these certificates were scheduled to run out was exactly 3 months from the
day we switched
mybinder.org to point to the
letsencrypt expiration emails doc
says that if the name / details of the certificate you request change at all,
you may receive these emails even though you’ve successfully renewed your certificate.
We double checked that the cert for
* look correct, which they did.
So, we concluded that we’re getting these notices because the SSL details changed and letsencrypt has (expectedly) failed to link the two.
A team member noticed that this is because our kubernetes deployment has an
account that’s unique to the domain we were using. So when we changed domains
*), we also switched accounts on letsencrypt. Our old account
is what is triggering the emails, but our new account is working fine.
Do not use a single team member’s email address for letsencrypt
Instead, use a shared google groups email account so we all get pinged
This has been done: email@example.com
keep an eye on the SSL once the first expiration date comes around and make sure this is a correct assumption.