Install/renew / delete + rate-limits + apache


#1

Dear staff,

Please, let me know, how can i get to know how many install/renew did i take for a domain or from an IP address, to get to know how many tries, or install/renew can i take later if needed.

Also, please, tell me, how can i delete an installed cert from your database, or this function is totaly inrelevant / useless, and there will not be any kind of feature for this later?

Finally, how can i install ssl for a domain (e.g.: centos / apache) with certonly and standalone captions without i would have to stop apache for the script could bind new installation to 443 port.

Looking forward to your answer.


#2

I would be interested to know how to delete subdomain from certificate too.


#3

The easiest way I find is to search for your domain at https://crt.sh/ and you can see exactly what certificates have been issued, when.

Do you mean remove it from the LetsEncrypt database ( to me that seems totally irrelevant ) or do you mean remove it from your current certificates on your server ?

I’m not sure I understand the scenario here. If you already have apache running, why do you want to stop it to run the client in standalone mode. I’d just run it, using the existing apache ( no need to stop it) to host the relevant tokens as proof of ownership, and then add the certificate and reload apache ( this effectively enables apache to start using the new certificate without stopping any existing connections ) .


#4

These results appear to be incomplete, for me at least.

It would be very nice indeed to be able to query LetsEncrypt directly for information like this. Is it possible that the capability exists and I’ve just missed it?


#5

Note that Certificate Transparency Log servers have a merge delay, and crt.sh won’t fetch those updates in realtime either, so you won’t see new certificates right away. If you actually have a certificate (not from staging) and it hasn’t shown up on crt.sh in a long time, please post the serial number - that would be a rather serious bug in the CA server (or crt.sh).

There’s no way to query Let’s Encrypt directly as of right now. There are plans to expose the current rate limit status (e.g. current counter, reset, etc.) as part of the ACME protocol in the future (which could then be displayed or logged by clients), but nothing concrete yet.


#6

Thank you for the link: https://crt.sh/
Is there a limitation how many search requests allowed to come from an IP address?

I mean, delete from your database. So, if somebody changes his mind and doesn’t want to use his registrated LE crt, just delete from the server he installed before, and thats it?

Its good to know that should be works fine without stopping apache, but i always getting “no vhost exist” for any kind of domain i tried to install. I didn’t find where should i change conf files to le-auto script could find these vhosts.


#7

As far as I’m aware there is no limit on searches allowed from an IP. You may be interested in the script that automates searches on there - lectl (written by @sahsanu )

Yes, just delete it from the server, and that’s fine. ( it will still show as issues by crt.sh of course) but if you no longer want it you can simply delete it.

This is probably because you don’t have your domains in separate vhosts files in your apache config. Letsencrypt-auto expects them to be in separate files, not all in the same file.


#8

https://crt.sh/ is operated by Comodo out of good will, so probably if you’re going to do a lot of queries, especially over a prolonged period you should consider building your own monitor instead. That’s what crt.sh is, a monitor (with a nice web UI) of the CT logs. The API for monitoring logs is documented, and Google requires the logs to achieve defined performance to remain listed as authorised logs in Chrome releases so they should be fairly robust.


#9

What you can do is create the certificates using webroot authentication. Webroot puts a hidden temporary file in your website so Let’s Encrypt can verify you control the domain. You use it like this:
letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/foobar -d foobar.org

This will create a single certificate containing three domains, and you don’t have to stop Apache to use it. It only creates the certificate, it doesn’t configure Apache, so you’ll have to adjust your vhosts file yourself. I have all my vhosts in a single file for convenience, and it’s not hard to add the lines for SSL/TLS.

To renew, it’s “letsencrypt renew”.

You should read the full documentation here, particularly about webroot. Good luck!

EDIT: Make sure you point Apache to the “letsencrypt/live” files, not the ones in “archive”. The “live” directory contains symlinks to the latest certificates, even after you renew.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.