Certificates issued but unavailable if the client fails during certification process


#1

Sorry if this question has already been answered.

I noticed that if the challenges are successfully completed, but the client fails for some other reason before the certs are saved to the ./archive directory, the certificates are actually issued and committed (as can be seen at https://crt.sh/?caid=7395), but are not available to the user.
As the server seems not to know that the client has failed, and because certs are actually committed, if the user tries to repeat the process enough times (for example if the client continues to fail for the same reason), he will soon hit the maximum allowed number of certificates per domain (5 in 7 days), without obtaining even one.

Could it be a good idea to check if there are some ‘pending’ certificates (e.g. that were issued but not saved client-side) and notify the user of that, to avoid the problems described above?

Thank you.


#2

Is there anything in /etc/letsencrypt/live/ ?


#3

Yes, there are some symlinks to a certificate previously issued, but neither there, nor in the ./archive directory there is the newer one.

In particular, in my case the client had failed because I had edited the symlinks in the live directory (as I was alternating between the new LE cert and the old self-signed one), and forgot to restore the original ones before launching the certification process for some other sub-domains.

To be sincere I could be able to recover the issued certificates both looking in the logs (as they seem to be ‘saved’ in the response to the GET request), and searching for my CN in the crt.sh archive, but as this quite a bothersome process, I wonder if it was worth to simplify it a bit.