-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renewal failure should include instructions to remove lineage #8542
Comments
I'm hesitant to do something like this because the only other advice we (will) print is "go ask on the forums, try -v or check in /var/log/letsencrypt". What I'm afraid of is that a user will reach for If
Do you mean between mid-June and September? Did you change where you installed Certbot from? Maybe there was some change in One more aside: I had no idea Certbot saved keys and CSRs to disk earlier than the order finalization stage. That's a bit unfortunate given there's no automatic cleanup. #4635. |
This is a good point. Perhaps "if you no longer control this domain, do X." But I recognize there's still a risk people do that unthinking.
Yep! Though I happened to know I should run
I mean from Dec 7 to Dec 15, I have two keys per day in /etc/letsencrypt/keys, but in the logs directory, in the month of December, I only have logs for Dec 5, Dec 14 and Dec 15 |
Aren't there 1001 ways a renewal can fail? Not owning a domain any longer is just one of many possible reasons. |
This is a good point. Perhaps a more useful thing would be for Certbot to try and convey "here are the N lineages you have that have been failing for >50 days; you might want to delete them." |
A certificate can also fail because one out of many hostnames is failing due to e.g. loss of ownership. It would be careless to delete the whole certificate because of that, using Therefore, I believe any generic "hint" might not actually encompass all the possible reasons the certificate might fail. Also, I'm not seeing much threads on the Community regarding such issues (failing certs b/c loss of ownership). I'm inclined to believe this isn't a very big issue for most users. And with that, I think it doesn't warrent adding warnings/hints which might lead the user into acting the wrong way for a whole different issue to certbot. |
It looks to me like Certbot's internal log rotation is disabled (maybe because you previously had the Certbot As I understand it, a side-effect of this is that multiple invocations of Certbot will keep appending to |
Ah, excellent point! I did in fact previously have the I'm satisfied on both counts here, so closing. |
I logged onto my personal web server, and noticed that I had 1600 keys in /etc/letsencrypt/keys, two every day for the last many days. I checked /var/log/letsencrypt/ and I think the root cause is that I had a lineage listed for a domain I no longer own. I was able to figure that out pretty quickly from the logs:
But it took a little reading to remember how to remove that lineage so it's no longer retried. It would be helpful for the log output to say "To delete this, run XXX".
As an aside: It looks like I'm missing some logs?
Version
certbot 1.11.0.dev0
The text was updated successfully, but these errors were encountered: