Automatically remove certificate if renewal fails

Hello,

we are offer domain aliasing for a SaaS service we run. So customer can point their own DNS entry to our server. We use Letsencrypt to request a related certificate (if the customer DNS entry is properly set). However sometimes it happens that the customer removes the DNS entry. This causes the renewal for the particular certificate to fail.

Is there a way to automatically remove certificates that fail renewal?

Best regards

Carsten

What ACME client are you using?

Keep in mind that failures can happen for a lot of reasons, some of them unintentional or temporary.

We are using the certbot 0.26.1 on Ubuntu Linux.

The particular case would be this error message:

Attempting to renew cert (foo.foo.de) from /etc/letsencrypt/renewal/foo.foo.de.conf produced an unexpected error: Failed authorization procedure. foo.foo.de (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested acme.invalid from 212.65.8.208:443. Received 3 certificate(s), first certificate had names “*.foo.de, foo.de”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/foo.foo.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Hi @Deckard

not an answer of your question, but:

tls-sni-01 is deprecated. Support ends 2019-02-13.

So you should change your authentication method.

http-01, dns-01 or tls-alpn-01. acme.sh has (new) an own tls-alpn01-client.

Thank you for the hint. Unfortunately the nginx plugin does seem to support only that challenge/auth type.

EDIT: Nevermind, just updated the client and the default challenge/auth type was already fixed.

I would say that the best thing is to implement your own monitoring script that checks whether the associated DNS is still pointed at you. Then you can take some kind of action outside of the renewal path in connection with this, whether that's contacting the customer or deleting the certificate.

If you need to double-check which names are covered by a specific certificate you can use certbot certificates or openssl x509 -in /etc/letsencrypt/live/somedomain/cert.pem -text -noout to see the certificate contents.

It could be risky to remove domains automatically just because they failed validation because the problem could be ephemeral or unintentional, like a temporary outage of the customer's DNS service or a misunderstanding on the customer's part.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.