I have developed a deploy hook script for macOS Server which I published here a while back. While this works, there is one issue left: if on macOS Server you have multiple certificates for the same domain (e.g.for different services), then the script is not capable of removing the outdated just replaced
certificate from macOS Server as it doesn’t know which one of the ones still there is the just-replaced one.
I could fix that, if I would know in the deploy-hook script which certificate ID (SHA-1) was replaced. Is there a way to do this?
My domain is: dumbledore.rna.nl (but only available during certification, no website here)
The operating system my web server runs on is (include version): macOS High Sierra
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1
Since you use cerbot, the deploy hook is providing you the new certificate, and you have an archive in /etc/letsencrypt/archive/yourdomain/ numbered by creation order.
it should be possible to check the last certificate in the archive not equal to the created certificate and get its characteristics to remove it from the system.
Now, if I have to do something like that in Linux, I’d consider also to use a systemd service running daily and in the deploy hook just add somewhere a ref to the new certificate for the systemd service to examine; when the certificate is 91 days old, the systemd service removes it from the system.
You could also use openssl x509 -fingerprint -noout -in "$RENEWED_LINEAGE/cert.pem" to get the SHA-1 fingerprint that you might want (in this case, for the new certificate rather than for the old one).