Delete ALL certificates

koolwebs · October 5, 2020, 2:11pm

Hello - for the 2nd time I have deleted ALL certificates from my server - Please can you put a safety check on the "leave blank to delete all certs" like "are you sure you wish to trash your server Y/n"
I am sure there are folks out there just as stupid as me.

rg305 · October 5, 2020, 2:30pm

Which client are you using?

koolwebs · October 5, 2020, 3:05pm

ubuntu 18.04 - not sure what version certbot but it is only a few months old.
This is amazing software, I used to pay a lot for SSL.
A gui version would be epic.

rg305 · October 5, 2020, 3:08pm

Automation is the goal.
GUIed automation - is that really needed?

Osiris · October 5, 2020, 3:08pm

Also, did you have just one certificate or more than one?

Because certbot should ask you which certificates to do an operation on if you look at the code:

github.com

certbot/certbot/blob/ef8c481634b642489c20b29d2a8c30526d5b5adf/certbot/certbot/_internal/cert_manager.py#L294-L327


      
          def get_certnames(config, verb, allow_multiple=False, custom_prompt=None):
              """Get certname from flag, interactively, or error out.
              """
              certname = config.certname
              if certname:
                  certnames = [certname]
              else:
                  disp = zope.component.getUtility(interfaces.IDisplay)
                  filenames = storage.renewal_conf_files(config)
                  choices = [storage.lineagename_for_filename(name) for name in filenames]
                  if not choices:
                      raise errors.Error("No existing certificates found.")
                  if allow_multiple:
                      if not custom_prompt:
                          prompt = "Which certificate(s) would you like to {0}?".format(verb)
                      else:
                          prompt = custom_prompt
                      code, certnames = disp.checklist(
                          prompt, choices, cli_flag="--cert-name", force_interactive=True)
                      if code != display_util.OK:

This file has been truncated. show original

(get_certnames is envoked from the delete command in main.py)

For some users, a GUI just for setting up could be helpful, yes. Not everybody has much CLI experience. In the past, I have made an argument that perhaps not everybody should be trying to apply HTTPS to their sites because of lack of knowledge perhaps doing more harm than good. But that argument was apparently invalid. So lack of CLI experience then also shouldn't be an argument for not being able to use certbot

rg305 · October 5, 2020, 3:10pm

Can you show the screen of just before "everything cert gets deleted"?

Osiris · October 5, 2020, 3:17pm

Ah, wait.. It seems my post about the get_certnames was not very helpful, as the quoted line above suggests @koolwebs actually did get this question about multiple certificates.

The code of certmanager.delete() indeed does not explicitly ask for confirmation:

github.com

certbot/certbot/blob/ef8c481634b642489c20b29d2a8c30526d5b5adf/certbot/certbot/_internal/cert_manager.py#L90-L97


      
          def delete(config):
              """Delete Certbot files associated with a certificate lineage."""
              certnames = get_certnames(config, "delete", allow_multiple=True)
              for certname in certnames:
                  storage.delete_files(config, certname)
                  disp = zope.component.getUtility(interfaces.IDisplay)
                  disp.notification("Deleted all files relating to certificate {0}."
                      .format(certname), pause=False)

I guess between lines 92 and 93 there's a perfect moment for reflection and present the user with the (set of) certificate(s) he/she's about to delete and ask for confirmation.

@koolwebs I think the best thing to approach this is to open an issue on the certbot Github page. Feeling up to that?

I think this could be best be solved by summarize the list of certs to be deleted above the for loop and add another disp.notification with "Are you sure?" and pause=True. But this is rather hard to test on a production server.. And I don't have a testing environment, so I'd need to fix one

Osiris · October 5, 2020, 9:33pm

Wrote an issue: https://github.com/certbot/certbot/issues/8347
Wrote a fix: https://github.com/certbot/certbot/pull/8349

koolwebs · October 5, 2020, 9:36pm

Thanks for the info, I have logged it on github

system · November 6, 2020, 4:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot - Delete a Specific Certificate Name Help	3	1554	June 19, 2017
Certbot delete request Feature Requests	2	774	June 23, 2019
How to delete a particular Certificate? Help	2	147	July 6, 2024
How to delete certificates Help	9	4944	April 2, 2020
Best Practice For Closing a Server Down Help	10	763	April 13, 2021

Delete ALL certificates

Related topics