Certbot Delete used with | and grep deletes all SSL's

Is it expected behaviour that if using a pipe and grep to filter out the list (I've got about 100 SSL's on this server) that it would output the FQDN i'm looking for, but then error out and delete all SSL's?

My domain is:
test.domain.tld

I ran this command:

sudo certbot delete | grep "test.domain.tld"

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
128: test.domain.tld
 
Skipped user interaction because Certbot doesn't appear to be running in a terminal. You should probably include --non-interactive or --force-interactive on the command line.
Deleted all files relating to certificate test.domain.tld.

My web server is (include version):
Apache 2.4.41-4

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.7.4

Hello @sspaulding, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields these results, using the HTTP-01 challenge,
https://letsdebug.net/test.domain.tld/1725024

InvalidDomain
FATAL
"test.domain.tld" is not a valid domain name that Let's Encrypt would be able to issue a certificate for.
Domain doesn't end in a public TLD

The issue is there does not exist a top level domain .tld.; you have no domain name.

Let’s Encrypt offers Domain Validation (DV) certificates.

Thus you need to own and have control over the Domain Name (or have a subdomain under an existing domain name, for example pointed to your server by your employer or school) you wish to obtain a certificate for, from an ICANN Accredited Registrar.

For Let’s Encrypt to issue a Domain Validation (DV) certificate Domain Validation must happen
and it is a CA/Browser Forum Baseline Requirement.

Best Practice - Keep Port 80 Open

Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

Since these are Domain Validation (DV) certificates the Domain Name System (DNS) is used extensively in the validation process as well a allowing us to assist here on Let's Encrypt community.
DNS Queries need to give consistent results from any location on the Internet, all your authoritative DNS Servers for the Domain need to also give consistent results as well.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

And to assist with debugging there is a great place to start is Let's Debug.

When you say you have "100 SSL's" do you mean that many domains on a single cert or you have that many certs?

Because certbot delete deletes an entire cert but you must provide it the cert name. piping its output to grep won't do anything useful.

I didn't actually use test.domainl.tld, I redacted that for privacy sakes. The SSL I tried to delete was a valid SSL using valid FQDN format.

Please see Deleting certificates
and Safely deleting certificates

100's of individual SSL's using many certs.

I was attempting to delete a specific one without having to scroll through the list the certbot delete generates.

Do sudo certbot delete --cert-name X

using the name from sudo certbot certificates

This is the format sudo certbot delete --cert-name example.com;
the | operator takes the output from the left side's stdout and feeds it in to the right side's stdin.

so is this a bug?, because piping to grep shouldn't have caused any input into the certbot delete command.

doing certbot delete on it's own works and same with certbot delete --cert-name X

No. See bash - Piping into results of another pipe not working as expected - Unix & Linux Stack Exchange

And more on how the Pipe (|) Operator in Bash works:

Running certbot delete shows all the possible certs to delete

It then asks which one you want deleted. Or, just pressing enter will delete them all.

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

You piped that output to grep which filtered some of the output (which included the lines above which described this).

If you then pressed enter it would have taken the default behavior.

You misunderstood what piping to grep does. And got a poor result from certbot as a result. This belongs in the "lesson learned" category

I don't think I misunderstood how piping to grep works, as it's the output of command A to the stdin of command b.

and ok, So this brings up another question. grep provided me with the correct output, and I pressed control C as the command wasn't completing.

I did not hit enter at any point in time while running this.

Might explain

results.

My Certbot 2.7.4 does not behave like you describe. And, I am wary of doing anything other than ctrl-c as I don't want my certs deleted

In any case, bugs for Certbot are best reported on their github. The EFF developers are more easily reached there.

thanks guys, I believe this to be a bug so I will submit the bug report to them.

and yes, I agree a vary valuable lesson learned, thankfully I have backups of my /etc/letsencrypt folder to recovery was easy and downtime was minimal but still.

Correct. Why did you think grep would delete your certs?

I didn't, I was wondering why certbot deleted all of my certs with no prompts or warnings.

the output I got was the grepped line I wanted, followed by the "skipped interactive..." message followed by a message that it deleted all certs related to the one I entered.

No where in the output does it indicate that all certs were deleted.

It sounds like the intension of the grep was to feed back the input required by the certbot command.
But grep's output shouldn't go to the standard input.
So, at best, it only reduces certbots output to only a line that contains the grep string.
But without certbots' instructions...
How is anyone supposed to know what to do next?

That is very nice to see being done correctly!

busy production server...can never have too many backups