Revoking only affected certificates

Hello,

Due to the 2020.02.29 CAA Rechecking Bug , we need to renew affected certificates.
We recieved the affected certificates list within the email.

We are hosting hundreds of domains and we would like to renew only affected certificates.
Indeed we cannot issue the certbot renew command globally since some certs fails to renew.

Our certificates basically contains the main domain and all subdomain or aliases.

Can you provide a shell script that can parse the email and return a list of main domains, so we could use the command :
certbot renew --cert-name <cert-name>

I guess you can write a script, use the proper openssl command to get the serial number of your certs, compare with the affected list, only renew affected certs.

Instructions are here: Revoking certain certificates on March 4

1 Like

At least in all cases, it’s not possible to just parse the email to determine the cert name you need to give to Certbot. You’ll need to compare the list in the emails with the certificates on your server.

Running code like this (as root) may help with that though:

for cert in /etc/letsencrypt/live/*/cert.pem; do
    certname="certname=$(basename $(dirname $cert))"
    serial="$(openssl x509 -in $cert -serial -noout)"
    echo "$certname; $serial"
done

It will output the name you have to give Certbot as well as the serial number of the certificate which you could compare with the serial numbers in the email.

When you actually go to run Certbot, your command should look like:

certbot renew --cert-name <cert-name> --force-renewal

Without --force-renewal, Certbot may not renew the certificate depending on its expiration.

4 Likes