Is useful to implement certbot automations?
Currently the package delivered comes from distro mantainer, not the package mantainer/developer…
I do not know: if we add a simple certbot renew inside a cronjob for everyone, it will renew also unused certs. I’m open to better ides.
I do not think so, for the same reason I’ve written above.
is it an issue?
If so, it could act on new items only, preserving the current behavior on existing items.
Yes it is, because you can reach LE rate limiting if old certificates contains unused domains.
I didn’t find how to instruct certbot doing so. 
Not if you’re running a daily cronjob. There is a rate limit for failed authorizations, but it’s five failures/hour/account/hostname. But, of course, an admin should be deleting certs that are no longer in use.
2 Likes
NO. It it is NOT a bug to have the possitbility to have different LE certificates for different web server web sites. It is totally rediculous to define this important feature and standard behaviour in web servers a bug.
The only bug is, that not all active certificates are renewed.
There shoud be one standard certificate but unlimited other certificates for apache sites or reverse proxies. This is already working perfectly apart from the only small bug, that not all certificates are renewed. The solutions is also trivial: just call “certbot --renew”. Old invalid certificates could be deleted after some time or let the user delete them manually (which is missing also currently).
2 Likes
I agree with you. However, what I could not believe is that when removing domain specific certificates via the cockpit GUI, the certificates in /etc/letsencrypt are not completely deleted. At the next certbot renew the cronjob generates an error and you have to delete them manually.
1 Like
Ok. Then there are two (minor) bugs.
- Not all certficiates are renewed. Solution: “certbot renew” instead of complicated old script
- Deletion of certificates in cockpit has to delete certificaes in /etc/letsencrypt also.
just thinking i could be wrong but couldn’t we add something like an if statement pointing to host file or something to determine if the domain would be in use and give a warning and maybe have a tick box next to lets encrypt cert in cockpit asking if you want to issue a cron job auto renew
It is much simpler: The user can and should decide which certificates he needs and delete those, he doesn’t want to use any more.
The single automatic cronjob should prolong all certificates (certbot --renew).