Is there a way to get the (SHA-1) ID of the old (replaced) cert identity in a certbot renewal-hook script?

I have developed a deploy hook script for macOS Server which I published here a while back. While this works, there is one issue left: if on macOS Server you have multiple certificates for the same domain (e.g.for different services), then the script is not capable of removing the outdated just replaced
certificate from macOS Server as it doesn’t know which one of the ones still there is the just-replaced one.

I could fix that, if I would know in the deploy-hook script which certificate ID (SHA-1) was replaced. Is there a way to do this?

My domain is: (but only available during certification, no website here)

The operating system my web server runs on is (include version): macOS High Sierra

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1

Since you use cerbot, the deploy hook is providing you the new certificate, and you have an archive in /etc/letsencrypt/archive/yourdomain/ numbered by creation order.
it should be possible to check the last certificate in the archive not equal to the created certificate and get its characteristics to remove it from the system.

Now, if I have to do something like that in Linux, I’d consider also to use a systemd service running daily and in the deploy hook just add somewhere a ref to the new certificate for the systemd service to examine; when the certificate is 91 days old, the systemd service removes it from the system.

1 Like

Hi @gctwnl

Is there a way to get the (SHA-1) ID of the old (replaced) cert identity

you can compute the SHA-1 (or SHA-256) hash values of all certificates.

Load the PEM-file -> transform it to a byte array -> compute the hash value -> save the hash value with a standard name in the directory.

But you don’t need it, a simple string comparison should do the same - identical - yes / no.

You could also use openssl x509 -fingerprint -noout -in "$RENEWED_LINEAGE/cert.pem" to get the SHA-1 fingerprint that you might want (in this case, for the new certificate rather than for the old one).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.