I’m building a website builder. I issue new certificates for each client’s domain.
Some clients leave my service and change their DNS, therefore their certificates can not more be renewed from my side.
My question is: what happens if a ‘renew’ attempt fails for many times? Am I bothering the Let’s Encrypt servers by asking to renew the certificates which are actually not in use anymore? If yes, how do I properly remove the ‘renew’ calls?
Not much happens. If you're running "certbot renew" twice a day at random times, you won't encounter the Failed Validations rate limit (5 per hour).
If you're trying to renew hundreds of certificates, you may hit the New Orders rate limit. That would be a problem for you.
Well, yes. It might generate about a dozen HTTP requests per certificate per day to Let's Encrypt's systems. They're not going to stop you if you're only generating a normal amount of traffic, but it's still good not to waste resources.
You can manually run "sudo certbot delete --cert-name example.com" to delete a certificate, but Certbot doesn't have an automated, built-in way to manage this.
If you want to handle it manually, you could set up some kind of monitoring for Certbot, watch for failed renewals, and take action after a few weeks. Or you could run "sudo certbot certificates" every few weeks and look over the output.
As your service grows, you might want to switch to another ACME client, though I'm not sure which one to recommend. Or build your own. I'm not saying Certbot is a bad client, but it's not designed for large-scale, automated lifecycle management, and you'll have to build your own scaffolding around it.
I’ve listed all my existing certificates and deleted the expired ones. I will from now on delete the certificate right after my client deleted their website.
What I did is commented the deleted certificates in cd /etc/nginx/sites-enabled && sudo nano default.
I must have missed something because commenting a certificate config in the file after the deletion command is a very inconvenient experience. Any thoughts?