What if renew fails

Hello, the community! I hope you feel good.

I’m building a website builder. I issue new certificates for each client’s domain.

Some clients leave my service and change their DNS, therefore their certificates can not more be renewed from my side.

My question is: what happens if a ‘renew’ attempt fails for many times? Am I bothering the Let’s Encrypt servers by asking to renew the certificates which are actually not in use anymore? If yes, how do I properly remove the ‘renew’ calls?

I’m using certbot for nginx.

Thanks a lot for your attention and replies! :grinning:

Hi @alexanderisora

read

You will hit the failed validation limit, that blocks your account.

That’s the wrong way.

Add a precheck to see, if the DNS is correct. If not, don’t start a renew.

2 Likes

Not much happens. If you’re running “certbot renew” twice a day at random times, you won’t encounter the Failed Validations rate limit (5 per hour).

If you’re trying to renew hundreds of certificates, you may hit the New Orders rate limit. That would be a problem for you.

Well, yes. It might generate about a dozen HTTP requests per certificate per day to Let’s Encrypt’s systems. They’re not going to stop you if you’re only generating a normal amount of traffic, but it’s still good not to waste resources.

You can manually run “sudo certbot delete --cert-name example.com” to delete a certificate, but Certbot doesn’t have an automated, built-in way to manage this.

If you want to handle it manually, you could set up some kind of monitoring for Certbot, watch for failed renewals, and take action after a few weeks. Or you could run “sudo certbot certificates” every few weeks and look over the output.

As your service grows, you might want to switch to another ACME client, though I’m not sure which one to recommend. Or build your own. I’m not saying Certbot is a bad client, but it’s not designed for large-scale, automated lifecycle management, and you’ll have to build your own scaffolding around it.

By the way, have you read the integration guide?

1 Like

Thank you very much, guys @mnordhoff @JuergenAuer !

I’ve listed all my existing certificates and deleted the expired ones. I will from now on delete the certificate right after my client deleted their website.

Have a great day! :grinning:

2 Likes

@JuergenAuer @mnordhoff Um. Actually guys, your advice just resulted in 50 mins of downtime and a ton of adrenaline in my blood :grinning:

When I delete a cert with the certbot command, the nginx then starts missing the certificate file and throws a status check error:

nginx[16934]: nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/domain.com/fullchain.pem") failed (SSL: error:020010

What I did is commented the deleted certificates in cd /etc/nginx/sites-enabled && sudo nano default.

I must have missed something because commenting a certificate config in the file after the deletion command is a very inconvenient experience. Any thoughts? :slightly_smiling_face:

Deleting files that are used by webservers isn’t a good idea.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.