I have just read about the zombie client problem (link), and the preventive functions.
I know that I have domains that time after time don't get renewed and to be honest I also seem to remember error messages (email), which I would quickly identify like "oh, it's because it doesn't exist now", and I'd move on.
Out of curiosity, I just looked at my domain list that the apache certbot would display...
and I saw several domain names which I don't have the DNS service linked to...
I'm not negligent... I had just thought that I'd have those domains back sooner or later...
I would normally issue a2dissite for domains that are not in "use" (in my ownership), hoping that certbot will realize the situation... But I might have been negligent enough to forget about this little task, too....
Anyway, now I promise I'll make sure not to waste any amount of letsencryp's resources...
I will regularly run certbot certificates, copy the result check for "invalid: expired!" statuses and delete the zombie certificate whom I had created
suggestion: #1 a self-checking task list would be great... which people could refer to...
#2 a function could be created, perhaps extending certbot certificates with options like stat / info (meaning a brief info about okay / not okay...
and problems ... which would list the problematic certificates only...
these functions could make it easy to get a quick picture of the state of things...
which would give an easy but regular "job" for the site admins... which could be a great thing, unlike getting used to having to do nothing cause certbot is sooo intuitive and perfect
That said, wouldn't something like below be enough to quickly identify issues? I don't have an expired cert to check so adjust the grep search term(s) accordingly
You might also consider a monitoring service. That will let you know of cert expirations before they occur. Several are mentioned below. Let's Encrypt announced in Jan they would stop emailing expiration notices. And, since that has now ended (see blog) these may be helpful.
For people interested in monitoring renewal failures (rather than just cert expiry) you are welcome to try out Certify Management Hub and Certify Management Agent - it's still in development but might work for you.
The hub provides a UI which can be hosted in docker or run as a service directly and can provide centralised cert management or just be used for monitoring.
The agent is a systemd service that can either perform cert renewal tasks on that instance or can be used to monitor 3rd party acme clients (currently Certbot, acme.sh, win-acme, simple-acme and Posh-ACME). Again that could run either directly or in docker. It's a little heavy on RAM currently but that should be reduced in future updates, the monitoring agent is currently very new and I don't believe anyone has actually tried it in production yet.
You can configure paths in the hub UI under Settings > General > External Cert Managers with the target agent instance selected.
For me, your search code (as well as Mike's) is a perfect solution...
But of course, the point is to offer a good method for mostly everyone...
I'm sure many would choose webprofusion's suggestions, headless or with a head
Thank you for your suggestion.
Personally, I don't like the "capitalist" model of building premium or freemium services on free stuff (software / services)...
Even building services (free or not free), for comfort's sake, upon a service, seems to me as a waste of resources...
Reducing the bot traffic, for example, is an environmental-conscious issue these days...
But thank you!
It would also be useful if certbot (and most ACME clients really) wrote the last attempted result [and count of sequential failures] to the renewal .conf or equivalent, rather than just using free text logging, because then you could see a summary of failing renewals before they expire.
