Automatically remove certificate if renewal fails

[Please excuse my lack of “template” on this one, as this question does not apply to a single given domain, but hundreds. In case its helps we are using CertBot under CentOS7 and I have full root access to all boxes.]

This is a follow-up to the existing conversation at Automatically remove certificate if renewal fails.

Our server maintains certificates for many hundreds of domains, and over time some of those domains fall out of use due to user cancellations, domain changes, etc. In these cases the CertBot renewal process will eventually fail due to the original DNS record no longer pointing at our servers, and when this happens I would like to automatically delete the associated certificate files from the server.

I referenced the original post because I wanted to point out that the “you shouldn’t do this because of X, Y, Z…” comments don’t apply to our use case. If the renewal were to temporarily fail for whatever reason, we have mechanisms in place that would re-request any certificates that were still needed. So we are not concerned about deleting a cert due to a temporary renewal issue, as our code is already setup to handle that case.

With that in mind, is there any option on the renew command to “delete on fail”? If not, can anyone think of a simple one-liner for locating all expired certs in the CertBot folder and feeding those into a “certbot delete” command? I can write a SH script to do this I’m sure, but if someone already had a one-liner that I could add to the CRONTAB that would be even better.


Look into:
--allow-subset-of-names tells Certbot to continue with certificate generation if only some of the specified domain authorizations can be obtained. This may be useful if some domains specified in a certificate no longer point at this system.

1 Like

If I understand the docs correctly this flag would allow a certificate originally setup to support domains A, B, C, D to renew with only domains A, B, D if the challenge for C failed. This might actually be useful for another aspect of my project, but I don’t think it applies to this question since our certs generally contain just a single domain.

OK, now that I better understand your need…
I don’t think certbot can automatically handle your request.
And sadly, don’t know of any one-line script already written for such occasions.
Sounds like you may need to include some “extra” scripting to exclude domains and their corresponding certs. [basically in the exact opposite of however you are including domains and creating certs for them]

Hi @marcbertone

create one. Certbot shows, if the certificate is valid. Or use OpenSsl to check that.

“One line” may be too short, but it’s possible. Then run that script before running Certbot.

I bet there’s a simpler and more official way, but you could use

[ $(date -d "$(openssl x509 -in "$CERT" -enddate -noout | cut -d= -f2)" +%s) -gt $(date +%s) ]

to check whether a certificate’s expiry is in the future.

… apparently a more official way is with the -checkend option: