I had a website and a working letsencrypt certificate on a windows server with IIS.
The web site is now deleted.
How do I delete the certificate from letsencrypt list and stop letsencrypt from telling me that it fails renewals. It even sends me emails about renewal failure. I want it completely gone without sitting there on the list and showing renewal failures.
I don’t see such an option.
I deleted the certificate from the IIS, and from Windows certificates storage. I’ve found the actual certificate files in the folder where let’s encrypt stores all the certificates and deleted two files associated with that certificate.
Letsencrypt still has that domain on the list, still tries and fails to renew it. It’s annoying but also wastes letsencrypt resources. And keeps junk on my server.
I know there’s an article about Automatic Pausing of Zombie Clients but I think it’s different. I wouldn’t mind to delete this “zombie” remains.
What else can I do to eliminate old domain with non existent web site from the letsencrypt list, completely, and stop the forever failing renewal attempts.
You mention "letsencrypt" numerous times incorrectly, like "letsencrypt list", "stop letsencrypt from telling me" and "where let’s encrypt stores" and so on.
However, Let's Encrypt is just an ACME server enabled CA. Let's Encrypt itself does not install software on your system. In the past, you or someone else has installed an ACME client on that host. And there are many different ACME clients out there, also for Windows. And none of them are from Let's Encrypt. (No ACME client is.)
So you need to figure out which ACME client has been installed on your host. And it totally depends on which piece of software that was, how to remove the certificate from that software.
Let's Encrypt will send emails warning about an upcoming cert expiration. But, there are only two sent for each cert and none after it expires.
If you post the contents of one of those emails it might help to identify where they come from. If the email has a link to unsubscribe or similar then remove that from a post here so that it does not get accidentally used.
You are right.
I installed win-acme.v2.2.9.1701.x64.pluggable
The executable file is wacs.exe
The reason why I thought it is more related to LetsEncrypt than just a third party client is that the emails about renewals come from what it says "Let's Encrypt Expiry Bot", with an email "expiry@letsencrypt.org"
So where does this client get the list of domains to renew the certificates? From my server or from the LetsEncrypt server(s)? And how do it delete one from that list, wherever it is maintained?
Also, do you think that this is the most common and widely used client for IIS on Windows servers?
What are other reliable and well-established clients? Would you suggest some better ones or the best one in your opinion?
Yes, Let's Encrypt does send emails. But that's only based upon the information they have: someone issues a cert for some domain(s) and it's about to expire. Nothing more, nothing less.
Probably from the information it stored itself. Not from Let's Encrypt in any way, that's for sure.
Please see the win-acme/WACS documentation. E.g. win-acme.
Not a clue, I don't run Windows myself, not for my workstations nor my servers
I actually don't mind those emails. better to be informed. I don't need to unsubscribe from emails. it is good to know that I'll be warned about other domains, if any renewals fail.
But when I start wacs.exe it shows the list of all domains in my IIS, and even deleted ones. Including one domain for which it always shows that it failed renewal. It shows the total number of domains and always says 1 failed.
As I said, I deleted the web site from the server, deleted the certificate from Windows certificate storage, deleted the ...-csr.pem and ... -temp.pfx files which belong to that certificate from this folder:
\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
I see that there are a couple of entries in the registry here:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\SslSniBindingInfo{...}]
I did not delete those registry entries because I am hesitant to manually remove them on a mission-critical production server. Cannot afford any surprises that might affect anything else.
ok, thank you.
By the way i also followed the documentation from here
and deleted the .json file.
the domain still shows up on the list and it still says failed to renew when i run renewal for all domains.
I have the cert history, it is ok, it was a legitimate web site and it needed a certificate and it had one. Now the web site it shut down, deleted from my IIS and not on any other server.
I just want it all to be clean with no failing attempts for anything that is gone.
Regarding win-acme showing a site that doesn't exist, it's either reading it from IIS or it reading it from C:\ProgramData\win-acme but there's also chance there is some old config in the registry as per https://www.win-acme.com/manual/upgrading/to-v1.9.9
Thank you very much everyone who responded.
Appreciate so many responses and so many responses and so fast.
I’ve never had any older versions of the client installed. This is a new server, only a couple of months old.
Anyway, I realize that the issue not related directly to LetsEncrypt but rather the client and I’ll take this discussion to the appropriate forum for the client.
I still think Certify The Web is good option. But, if you continue with win-acme you might consider using simple-acme instead. Wouter Tinus, the primary maintainer of win-acme in recent years, forked it and describes this here: simple-acme
I am not saying win-acme is bad. Just that I think this is a significant event. You have to assess which is better for you
If nothing else, review the simple-acme page I linked. At least starting at the "Keeping things going" section.
Mike,
Thank you so much.
What you pointed out is so valuable.
After reading about the fork it seems that there’s no point anymore for anyone to use win-acme and it only makes sense for everyone to move on with simple-acme.
Much appreciate it!
