The error in question makes me think that this is a manually-created cron job that specifically references the certificate name in the cron task. If not, I’m very curious about what could have caused this!
I maintain a site that uses name based virtual hosting. There are around 500 certificates / domains. In the last 60 days there have been maybe 40 adds and 40 revokes. The file for certbot certificates is large. If you think that will help, I can provide it. I showed an example of a recurring event
I did not create my own version. I maintain a site that uses name based virtual hosting. There are around 500 certificates / domains. In the last 60 days there have been maybe 40 adds and 40 revokes. The file for certbot certificates is large. If you think that will help, I can provide it. I showed an example of a recurring event. I believe this is the job that is run. I runs at various times.
# /etc/cron.d/certbot: crontab entries for the certbot package
# Upstream recommends attempting renewal twice a day
# Eventually, this will be an opportunity to validate certificates
# haven’t been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
I am confused. When I revoked a cert I see Deleted all files relating to certificate drjacobsadighonline.com. What I want to do is: prevent any further use of this certificate, delete all the associated files and cleanup anything remaining, as this certificate / domain is no longer valid. How do I do that?
Can you post “sudo ls -l /etc/letsencrypt/archive/drjacobsadighonline.com /etc/letsencrypt/live/drjacobsadighonline.com /etc/letsencrypt/renewal/drjacobsadighonline.com.conf”?
I’m confused too. If certbot revoke really did delete all of the files, the files are deleted and there aren’t any other steps to take.
The error message in the first post should only have happened if you then ran something like “sudo certbot renew --cert-name already-deleted-certificate.com”. In that case, the question would be why you’re doing that, and the only other step would be to stop running it.
Or when you no longer control the domain (like if a hosting customer has moved to another company).
Thank you. This situation is like a subscription service. When a customer drops the subscription, the domain name is dropped by my client. What I wanted to prevent is someone claiming that domain name and doing something with that letsencrypt certificate. That scenario, I believe is not likely;however, I was erring on the side of an overabundance of caution. The operative part is that we do not control the domain anymore, so do you agree that the right procedure is to revoke?
Well, my interpretation is that section 3.2 of the Subscriber Agreement requires it.
Aside from that, I don’t have extremely strong feelings about it – when people move services, usually the old company isn’t massively evil or out to get them – but revoking is tidier and more responsible, and it’s good when people want to do right by former customers.
I see 2 issues have come up. 1) is do either a revoke or a delete? Unless directed otherwise, I will be revoking them. See the posts in the thread about this. 2) I see the message in the email I get from the cron renewal job. I do not believe it shows up in the logs. I am going to wait until I have another example to show what is happening now. But, the tentative description of the issue is that revoke may not clean up all the things that it should. I need to check all the entries under ls -l /etc/letsencrypt/ for a domain after I revoke the cert. It may turn out that when the renew process sees a
No certificate found with name drjacobsadighonline.com (expected /etc/letsencrypt/renewal/drjacobsadighonline.com.conf).
an error like this, it fixes the problem and continues. It writes the entry in the email, and not the log.
show the cron job See the September 3 post above , that begins with I did not create my own version.
I have a cron job that does maintenance. It requests new certs and revokes old.
The renewal job runs on a timer, at different times. I was hoping I could catch the state of the files after a revoke and before the renewal ran. It did not work, so I added a step after it does the revokes. Instead of linux ls, I am using php glob. see snippet below. As soon as I see a revoke, I will include the output here. I will help in any way I can. If you want to private message me that’s fine