The notification of "server certificate expired send too many

[raydoom]

⚠️ Please verify that this question has NOT been raised before.

• I checked and didn't find similar issue

🛡️ Security Policy

• I agree to have read this project Security Policy

📝 Describe your problem

The notification of "server certificate expired " send too many ,will send a message about 2-6min

📝 Error Message(s) or Log

No response

🐻 Uptime-Kuma Version

1.23.11

💻 Operating System and Arch

Rocky linux 8

🌐 Browser

google chrome 121.0.6167.184

🖥️ Deployment Environment

• Runtime: docker 24.0.6
• Database: sqlite
• Filesystem used to store the database on: NFSv3 on a SSD from synology nas
• number of monitors: 12

[CommanderStorm]

Currently you have not included a lot of content.
So you have a list of notifications.

• Are they pointing to the same monitored URL?
• Do you have multiple such monitors?
• what have you set up here (Settings > Notifcations > TLS Certificate Expiry)?
  

[raydoom]

I have two monitors,one is www.example1.com ,and another is www.example2.com which redirect to www.example1.com by nginx with code 302
TLS Certificate Expiry:

[CommanderStorm]

Let me rephrase:
The list of notifications you are getting, to which of these domains are they pointing to?
Are they pointing to different or the same domain?

[raydoom]

the message is:

UptimeKuma Message
[www.example1.com][https://www.example1.com] server certificate *.example2.com will be expired in 17 days

the cert expire info:
*.example1.com: remian 312 days
*.example2.com: remian 17 days

[github-actions]

We are clearing up our old help-issues and your issue has been open for 60 days with no activity.
If no comment is made and the stale label is not removed, this issue will be closed in 7 days.

[Suplanus]

Same here.
The expire date is flapping (lets encrypt).
"Somewhere" the old certificate is in kuma. If I look via Browser or into my reverse proxy (HaProxy), the certificates are new.

Kuma are seeing the new certificate but sometimes shows up the old with the expire date.
Example: https://md3.page

The notification is not send only once. Its sends like descriped every 2 minutes.

[CommanderStorm]

@Suplanus
Yes, but that is because your service keeps flapping between thos expiry dates.
I don't see this as a bug or as something that we can improve on our side..

curl -s -v -X GET https://md3.page

July	May

I don't think this misconfiguration is common enough to warrant extra handling.
I am going to close this as not planned.

If you have a good rationale why this should be supported or how to support this, we can reopnen.

[Suplanus]

@CommanderStorm Thanks for looking into it. I will fix it on my side.
But: I think the notification should only be sent once per setting of days.

[CommanderStorm]

Checking the cert is not expensive. Doing so on every request is fine.
I don't see an upside from introducing more cases to test, even downsides (would you have found the bug before May otherwise?)

[Suplanus]

I don't changed the setup (OpnSense -> HaProxy -> ACME)... And yes, the problem is since may.
I looked into OpnSense and there is only one certificate of each domain...

So I am still digging :)

[Suplanus]

For all other with the same problem:
TLDR: It's not a kuma problem, but the great kuma shows it for us :)

Its a Bug in HAProxys Lets Encrypt implementation: https://forum.opnsense.org/index.php?topic=38435.0
A Update is available.