I noticed certbot shows errors in /var/log/syslog: Code: Jan 23 12:18:22 web systemd[1]: Starting Certbot... Jan 23 12:18:27 web certbot[9940]: Attempting to renew cert from /etc/letsencrypt/renewal/removedsite.fi.conf produced an unexpected error: F ailed authorization procedure. www.removedsite.fi (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Inva lid response from http://www.removedsite.fi/.well-known/acme-challenge/BX4nf0DJ-pzeo2d-kbE2kupwvLhhwV_jDK0jZGlaF2o: "<!DOCTYPE html>\n<html i d=\"XF\" lang=\"fi-FI\" dir=\"LTR\"\n\tdata-app=\"public\"\n\tdata-template=\"forum_list\"\n\tdata-container-key=\"\"\n\tdata", removedsite.f i (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://removedsite.fi/.well-kn own/acme-challenge/uxr-4NaB18SFN-F5ltTApf2NlFLg07Qhg7haqiRJry0: "<!DOCTYPE html>\n<html id=\"XF\" lang=\"fi-FI\" dir=\"LTR\"\n\tdata-app=\"p ublic\"\n\tdata-template=\"forum_list\"\n\tdata-container-key=\"\"\n\tdata". Skipping. This removedsite.fi (name changed) was moved away from this server. I have unticked the Active in website settings. And now I unticked the SSL and Let's Enrypt also. This does not remove the site from /etc/letsencrypt/* directories. I think it should, so certbot does not show errors in the logs. Can I remove manually all files from letencrypt? Code: root@web:/etc/letsencrypt# find . -name *removedsite* ./renewal/removedsite.fi.conf ./live/removedsite.fi ./archive/removedsite.fi
I agree that we should add an option in ISPConfig server settings so the admin can choose whether he wants to remove an LE cert when the site gets deleted or not. We did not remove certs in the first place as other services might be using them too. Yes
I noticed this issue today. I can see many many unused domains in /etc/letsencrypt/live which I have deactive/removed in ISPconfig, and that aren't used anywhere else as only on this webserver itself. In addition i have more than 24'000 files in /etc/letsencrypt/keys and certbot is logging 31 renew failures. What is the recommended way to clean all this up and get rid of error messages and no longer used domains that have been created by ISPconfig?
Thanks for the fast feedback. This is quite cumbersome as the users can create and delete websites on their own and there is no way for me to track (e.g. a log when a website gets deleted in ISPconfig) when something got removed. So I will try to clean it up manually. I can see that for certain domains there are even multiple entries like: /etc/letsencrypt/live/example.com /etc/letsencrypt/live/example.com-0001 /etc/letsencrypt/live/example.com-0002 /etc/letsencrypt/live/example.com-0003 etc... Is only the LAST of these active? Is there a way to get a list of the ACTIVE certbot entries from ISPconfig? That may help to create a simple script for the clean-up process.
Check symlink to see which is active. PROBABLY the last one: Code: ls -lah /var/www/example.net/ssl/ Use this command: Code: certbot delete --cert-name example.net certbot delete --cert-name example.net-0001
Thanks @elmacus I used the certbot delete command and selected the domains that showed up as failed in the certbot renewal log file. @till when do the links in /var/www/example.net/ssl/ get removed? as i can see for some subdomain (!) vhosts that i deleted a while ago, there are still the links in the ssl-subdir. btw, the files in /etc/letsencrypt/keys and /etc/letsencrypt/csr can all be deleted and are not needed by certbot as it keeps all needed data in /etc/letsencrypt/archive
Thanks for the feedback. To track the two problems I have created two issues in GitLab: Delete Lets Encrypt / certbot data of delete domains Delete SSL directory references for vhost subdomains
