Certificate API


Do you guys have an API or management portal where I can login and view all the certificates connected to my account?

When you setup Certbot for example it asks to input email for sending status updates. The system behind the emails have to keep track on the date the certificate expires.

But is there a way for users to use an API to grab the certificate, so that I can setup a Management portal for managing the certificates and renew them directly from the portal?

When you start having 100+ certificates to work with it get's difficult to keep track using email.


Welcome to the community @MHVDM

There are several issues you bring up but for the renewal don't you have them auto-renewing? I can understand wanting a monitor of your own to check for servers using a stale cert. But needing a portal to issue renewals seems like your automation method is not reliable.


The entire system of Let's Encrypt is only available by an API, which is called the ACME protocol. There's no web interface to see all certificates.

The email address is really only there for exceptional cases: Either your automated renewal and monitoring failed so there's a reminder notice to check on it, or there's some issue that Let's Encrypt really needs you to know about (like an old API going away that they have record of you using, or them needing to revoke a certificate for some reason).

If you want centralized administration of your certificates, there's probably a system that would help you see everything and also uses the ACME protocol to renew your certificates automatically. There are a lot of clients which can use that protocol, and I personally aren't sure what one might be the one to recommend to you but maybe others here do.


And the ACME API does not offer a method to list issued certs from the ACME account.

@MHVDM I concur with my fellow volunteers: Let's Encrypt nor the ACME protocol offer such an interface you request. It's the duty of the ACME client software to keep track of all issued certificates. And it's custom to let the ACME client run twice a day where it checks if any certificate needs renewal or not. This is usually done in a systemd timer or cronjob. Once a certificate has been issued, it should renew without any problem and without any human interaction.


Thanks for the reply. The renewal is automatic yes, but I have some certificates where it's server has been deleted and I'm still recieving emails regarding the certificates expiring. And it's not just one email. It's often, and I have multiple certificates where the server has been deleted so I can't find a way to remove the certificates.

Do you perhaps know If I can somehow get rid of those certificates?

1 Like

It sounds like you did get rid of the certificates (at least from your servers; they live in places like Certificate Transparency Logs for forever). If I understand correctly, your concern is that once you intentionally stop using a certificate and stop it from renewing, you are still getting renewal reminders. If that's the case, then yes the renewal-reminder infrastructure definitely has a lot of room for improvement, and you're not the only one wishing that you had more control over what reminders you got and when. For the (hopefully) most common case, they're helpful to people because it lets them know that their automated renewal is failing. But in other cases, where names are being added or removed from a certificate, or just the certificate isn't being used anymore, they're a source of a lot of confusion and strife.

If you're pretty confident in your monitoring, you could unsubscribe from the emails (for a year at a time, weirdly enough), or remove the email address on the account entirely (so that no emails to you happen). But then you'd miss the actually-important emails if Let's Encrypt needs to revoke your certificates because they screwed something up or otherwise really needed to get in touch with you. Your best bet may be to just treat them as the reminders that they are to make sure that the names in the certificate are ones that you actually don't want to renew anymore, or if you're sure you don't need to them to just automatically filter the emails based on the from and subject line or the like so you don't need to see them.


It shouldn't be "often" for any one domain certificate. There are 2 emails one at 20 and one at 10 days prior to expiry (see here)

When you quit using a domain / cert you could revoke the cert. This will prevent email expiry warnings.

As for deleting certs, the certbot delete command is useful but be sure to read the docs about doing this safely (docs here)


You are partially correct here, I discontinued over 20 servers last month, and in neither one of them I entered certbot and removed the certificates.

I simply backed up the data for the customers, and then deleted the server. Maybe I'm in the wrong for not removing the certificates myself beforehand, but I never though of it before.

I though that they would stop sending emails once I deleted the entire server that the certificates where installed on.

Is it recommended to remove the certificates again by using certbot beforehand, or did I do it correctly and the renewal infrastructure is in the wrong/needs improvement?


1 Like

Removing from certbot would just remove them from your system, the certificate still exist on the Let's Encrypt side. So it really doesn't matter whether you delete them from certbot or just delete the whole server from that perspective.

What you could have done, as @MikeMcQ mentioned, is revoke the certificates. That's a bit more involved, as because of all the auditing and checks around what certificate authorities do, it isn't removing information, it's adding information that "this certificate should be relied on anymore". You shouldn't really revoke just because you aren't going to be using the certificate anymore, but if it's because you will no longer have control over the name (say, the owner of the name is moving to a different hosting provider than the one you run, or the domain name will be expiring and not renewed, so in the cases where you shouldn't have access to it anymore), then revoking with "cessationOfOperation" would be appropriate. And the reminder infrastructure is smart enough to not try to remind you about certificates that have been revoked.

But really, there's a lot about the reminder infrastructure that needs improvement.


If you'd do this, please use the correct reason for revocation (cessationofoperation probably).


It shouldn't be "often" for any one domain certificate.

It seems simpler to use unique email addresses for each server/system.
Which would also simplify the "where was that cert being used?" in the email notice.
Once you are "done" with a server/system, you can just unregister that email address.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.