we are offer domain aliasing for a SaaS service we run. So customer can point their own DNS entry to our server. We use Letsencrypt to request a related certificate (if the customer DNS entry is properly set). However sometimes it happens that the customer removes the DNS entry. This causes the renewal for the particular certificate to fail.
Is there a way to automatically remove certificates that fail renewal?
Attempting to renew cert (foo.foo.de) from /etc/letsencrypt/renewal/foo.foo.de.conf produced an unexpected error: Failed authorization procedure. foo.foo.de (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested acme.invalid from 188.8.131.52:443. Received 3 certificate(s), first certificate had names “*.foo.de, foo.de”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
1 renew failure(s), 0 parse failure(s)
I would say that the best thing is to implement your own monitoring script that checks whether the associated DNS is still pointed at you. Then you can take some kind of action outside of the renewal path in connection with this, whether that’s contacting the customer or deleting the certificate.
If you need to double-check which names are covered by a specific certificate you can use certbot certificates or openssl x509 -in /etc/letsencrypt/live/somedomain/cert.pem -text -noout to see the certificate contents.
It could be risky to remove domains automatically just because they failed validation because the problem could be ephemeral or unintentional, like a temporary outage of the customer’s DNS service or a misunderstanding on the customer’s part.