The error in question makes me think that this is a manually-created cron job that specifically references the certificate name in the cron task. If not, I'm very curious about what could have caused this!
I maintain a site that uses name based virtual hosting. There are around 500 certificates / domains. In the last 60 days there have been maybe 40 adds and 40 revokes. The file for certbot certificates is large. If you think that will help, I can provide it. I showed an example of a recurring event
I did not create my own version. I maintain a site that uses name based virtual hosting. There are around 500 certificates / domains. In the last 60 days there have been maybe 40 adds and 40 revokes. The file for certbot certificates is large. If you think that will help, I can provide it. I showed an example of a recurring event. I believe this is the job that is run. I runs at various times.
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# havenât been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
I think there may be some confusion between revoke and delete.
[Or I donât understand why you are revoking certificates instead of just deleting them]
I am confused. When I revoked a cert I see Deleted all files relating to certificate drjacobsadighonline.com. What I want to do is: prevent any further use of this certificate, delete all the associated files and cleanup anything remaining, as this certificate / domain is no longer valid. How do I do that?
You should only REVOKE a certificate when you are certain that it has been compromised (or are at least doubtful of the security of the private key file).
You should only have to DELETE a certificate when you are no longer in need of it.
Can you post "sudo ls -l /etc/letsencrypt/archive/drjacobsadighonline.com /etc/letsencrypt/live/drjacobsadighonline.com /etc/letsencrypt/renewal/drjacobsadighonline.com.conf"?
I'm confused too. If certbot revoke really did delete all of the files, the files are deleted and there aren't any other steps to take.
The error message in the first post should only have happened if you then ran something like "sudo certbot renew --cert-name already-deleted-certificate.com". In that case, the question would be why you're doing that, and the only other step would be to stop running it.
Or when you no longer control the domain (like if a hosting customer has moved to another company).
Thank you. This situation is like a subscription service. When a customer drops the subscription, the domain name is dropped by my client. What I wanted to prevent is someone claiming that domain name and doing something with that letsencrypt certificate. That scenario, I believe is not likely;however, I was erring on the side of an overabundance of caution. The operative part is that we do not control the domain anymore, so do you agree that the right procedure is to revoke?
Well, my interpretation is that section 3.2 of the Subscriber Agreement requires it.
Aside from that, I donât have extremely strong feelings about it â when people move services, usually the old company isnât massively evil or out to get them â but revoking is tidier and more responsible, and itâs good when people want to do right by former customers.
I see 2 issues have come up. 1) is do either a revoke or a delete? Unless directed otherwise, I will be revoking them. See the posts in the thread about this. 2) I see the message in the email I get from the cron renewal job. I do not believe it shows up in the logs. I am going to wait until I have another example to show what is happening now. But, the tentative description of the issue is that revoke may not clean up all the things that it should. I need to check all the entries under ls -l /etc/letsencrypt/ for a domain after I revoke the cert. It may turn out that when the renew process sees a
No certificate found with name drjacobsadighonline.com (expected /etc/letsencrypt/renewal/drjacobsadighonline.com.conf).
an error like this, it fixes the problem and continues. It writes the entry in the email, and not the log.
It would be really helpful to see some of that ls output, because perhaps thereâs a bug in Certbot (which ought to delete all the relevant files if it claims that itâs deleting them).
I need to set it up to run as part the control routines.
sudo ls -l
/etc/letsencrypt/archive/XXXXXXXX.com
/etc/letsencrypt/live/XXXXXXXX.com
/etc/letsencrypt/renewal/XXXXXXXX
When I revoke it do this
certbot revoke -n --cert-path 'lets-live etc XXXXXXX.com 'âreason superseded
certbot delete -n --cert-name XXXXXXX.com
I also clean up the apache .conf files
After my job does it stuff, I have to do the ls shown above for a domain that I am revoking.
and
-Mail from the letsencrypt renewal run
-Corresponding letsencrypt logs
The 'ls -l â need to be run before the certbot renew run starts.
I do not know how the renew is controlled,
If it is kicked of by reading the list of files under renewal, that correspond to domains and certs, and the msg I get in the cron mail:
No certificate found with name XXXXXXXXâŚcom (expected /etc/letsencrypt/renewal/XXXXXXXX.com.conf).
I suspect that the renew job is tidying and finishing the rest of the cleanup.
Because as far as I can tell, I do not see anymore messages about
No certificate found with name XXXXXXXXâŚcom (expected /etc/letsencrypt/renewal/XXXXXXXX.com.conf).
show the cron job See the September 3 post above , that begins with I did not create my own version.
I have a cron job that does maintenance. It requests new certs and revokes old.
The renewal job runs on a timer, at different times. I was hoping I could catch the state of the files after a revoke and before the renewal ran. It did not work, so I added a step after it does the revokes. Instead of linux ls, I am using php glob. see snippet below. As soon as I see a revoke, I will include the output here. I will help in any way I can. If you want to private message me thatâs fine