Removing site does not remove it from certbot

Discussion in 'ISPConfig 3 Priority Support' started by Taleman, Jan 23, 2019.

  1. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I noticed certbot shows errors in /var/log/syslog:
    Code:
    Jan 23 12:18:22 web systemd[1]: Starting Certbot...
    Jan 23 12:18:27 web certbot[9940]: Attempting to renew cert from /etc/letsencrypt/renewal/removedsite.fi.conf produced an unexpected error: F
    ailed authorization procedure. www.removedsite.fi (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Inva
    lid response from http://www.removedsite.fi/.well-known/acme-challenge/BX4nf0DJ-pzeo2d-kbE2kupwvLhhwV_jDK0jZGlaF2o: "<!DOCTYPE html>\n<html i
    d=\"XF\" lang=\"fi-FI\" dir=\"LTR\"\n\tdata-app=\"public\"\n\tdata-template=\"forum_list\"\n\tdata-container-key=\"\"\n\tdata", removedsite.f
    i (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://removedsite.fi/.well-kn
    own/acme-challenge/uxr-4NaB18SFN-F5ltTApf2NlFLg07Qhg7haqiRJry0: "<!DOCTYPE html>\n<html id=\"XF\" lang=\"fi-FI\" dir=\"LTR\"\n\tdata-app=\"p
    ublic\"\n\tdata-template=\"forum_list\"\n\tdata-container-key=\"\"\n\tdata". Skipping.
    This removedsite.fi (name changed) was moved away from this server. I have unticked the Active in website settings. And now I unticked the SSL and Let's Enrypt also.
    This does not remove the site from /etc/letsencrypt/* directories. I think it should, so certbot does not show errors in the logs.
    Can I remove manually all files from letencrypt?
    Code:
    [email protected]:/etc/letsencrypt# find . -name *removedsite*
    ./renewal/removedsite.fi.conf
    ./live/removedsite.fi
    ./archive/removedsite.fi
    
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I agree that we should add an option in ISPConfig server settings so the admin can choose whether he wants to remove an LE cert when the site gets deleted or not. We did not remove certs in the first place as other services might be using them too.

    Yes
     
  3. KoS

    KoS Member HowtoForge Supporter

    I noticed this issue today. I can see many many unused domains in /etc/letsencrypt/live which I have deactive/removed in ISPconfig, and that aren't used anywhere else as only on this webserver itself.
    In addition i have more than 24'000 files in /etc/letsencrypt/keys and certbot is logging 31 renew failures.
    What is the recommended way to clean all this up and get rid of error messages and no longer used domains that have been created by ISPconfig?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Use certbot command to remove certs that you don't need anymore.
     
  5. KoS

    KoS Member HowtoForge Supporter

    Thanks for the fast feedback.
    This is quite cumbersome as the users can create and delete websites on their own and there is no way for me to track (e.g. a log when a website gets deleted in ISPconfig) when something got removed.
    So I will try to clean it up manually.
    I can see that for certain domains there are even multiple entries like:
    /etc/letsencrypt/live/example.com
    /etc/letsencrypt/live/example.com-0001
    /etc/letsencrypt/live/example.com-0002
    /etc/letsencrypt/live/example.com-0003
    etc...
    Is only the LAST of these active?
    Is there a way to get a list of the ACTIVE certbot entries from ISPconfig? That may help to create a simple script for the clean-up process.
     
  6. elmacus

    elmacus Active Member HowtoForge Supporter

    Check symlink to see which is active. PROBABLY the last one:
    Code:
    ls -lah /var/www/example.net/ssl/
    Use this command:
    Code:
    certbot delete --cert-name example.net
    certbot delete --cert-name example.net-0001
     
    till likes this.
  7. KoS

    KoS Member HowtoForge Supporter

    Thanks @elmacus
    I used the certbot delete command and selected the domains that showed up as failed in the certbot renewal log file.

    @till
    when do the links in /var/www/example.net/ssl/ get removed? as i can see for some subdomain (!) vhosts that i deleted a while ago, there are still the links in the ssl-subdir.

    btw, the files in /etc/letsencrypt/keys and /etc/letsencrypt/csr can all be deleted and are not needed by certbot as it keeps all needed data in /etc/letsencrypt/archive
     
    elmacus likes this.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Thye don't get removed unless you delete the website.
     
  9. KoS

    KoS Member HowtoForge Supporter

    elmacus likes this.

Share This Page