[Please excuse my lack of “template” on this one, as this question does not apply to a single given domain, but hundreds. In case its helps we are using CertBot under CentOS7 and I have full root access to all boxes.]
This is a follow-up to the existing conversation at Automatically remove certificate if renewal fails.
Our server maintains certificates for many hundreds of domains, and over time some of those domains fall out of use due to user cancellations, domain changes, etc. In these cases the CertBot renewal process will eventually fail due to the original DNS record no longer pointing at our servers, and when this happens I would like to automatically delete the associated certificate files from the server.
I referenced the original post because I wanted to point out that the “you shouldn’t do this because of X, Y, Z…” comments don’t apply to our use case. If the renewal were to temporarily fail for whatever reason, we have mechanisms in place that would re-request any certificates that were still needed. So we are not concerned about deleting a cert due to a temporary renewal issue, as our code is already setup to handle that case.
With that in mind, is there any option on the renew command to “delete on fail”? If not, can anyone think of a simple one-liner for locating all expired certs in the CertBot folder and feeding those into a “certbot delete” command? I can write a SH script to do this I’m sure, but if someone already had a one-liner that I could add to the CRONTAB that would be even better.