sometimes the Let's Encrypt certificates were not renewed. I have created this script to warn on expired certificates. It works by parsing results from /root/.acme.sh/acme.sh, which is part of LE install inside ISPC The script here is named certs_expired.sh to be placed inside /root: /root/certs_expired.sh It is executed with a daily cron Code: #!/bin/bash # # Email Warning with expired LE certs # # Daily cron. Example: # 30 10 * * * /root/certs_expired.sh /dev/null 2>&1 # # get root email ESTEHOST=`hostname` email="root@$ESTEHOST" PRE1=`/root/.acme.sh/acme.sh --list | awk '{print $1" " $6}' | tr 'T' ' '`; LISTADOM=`echo "$PRE1" | awk '{print $1"_"$2}' | awk 'NR - 1'` # check domains for DOM in $LISTADOM do # extract date pfecha=${DOM#*_} fexpira=`date --date="$pfecha" '+%s'` # get number of days fhoy=`date '+%s'` f_diff=`expr $fexpira - $fhoy` fdias=`expr $f_diff / 86400` # check expired if [[ $fdias -lt 0 ]]; then DOMCAD=" $DOM $fdias days" DOMCAD=${DOMCAD/_/:} LISTCAD="$LISTCAD\n$DOMCAD" ENVMAIL="si" fi done # $LISTCAD contains the list of expired certificates # echo -e $LISTCAD # send email with expired domains if [[ $ENVMAIL == "si" ]]; then echo -e "Expired LE Certificates:\n\n$LISTCAD \n" | mail -s "WARNING LE: expired certificates" $email fi Example email received: Code: Expired LE Certificates: domain1.com:2023-03-25 -4 days domain2.com:2023-03-29 -8 days hope it can be useful in case of a similar problem
Agreed. But there is already email sent for that purpose by LE, if you already set the email correctly.
The email was previously normally set up by ISPConfig installer (not sure auto installer) only during install via certbot certonly command for server LE SSL certs i.e. [email protected]. My quick check on the code both at ISPConfig installer (lib) and autoinstaller, both surprisingly revealed that the email was not set up during any of that process except fonly or the above mentioned. Another quick look to ISPConfig Perfect Server tutorials also reveal the same, i.e. no instructions to set email for Let's Encrypt notification on this very important reminder. Thus wise, I think the best way for the server admins is to update their ISPConfig servers Let's Encrypt email via the following command: For certbot: Code: certbot update_account --email [email protected] For acme.sh: Code: acme.sh --update-account --accountemail [email protected] For the developers (@till, @Th0m, @ztk.me, @Jesse Norell), I would suggest that this will at least be added to the auto installer and the ISPConfig Perfect Server tutorials for at least 5 years back to help the new users to set this up right upon ISPConfig install.
The email address gets set when the SSL cert is requested per cert when using certbot, so no need to set this at install time for certbot. But it seems this has not been implemented for acme.sh as acme.sh does not support this. So we might indeed have to set this at install time for acme.sh.