Force renew lots of Let's Encrypt certificates?

As you may have heard, Let’s Encrypt is revoking today (March 4th) lots of certificates, due to a software bug. That means that we need to renew some of our certificates.

You can check if your site is affected using this tool.

As far as I know, the only way to do this using Hestia WebUI is to disable SSL support > save the changes > enable SSL Let’s Encrypt support > save changes.

It could also be done on the command line via v-add-letsencrypt-domain USER DOMAIN [ALIASES]. But I don’t know any way to do this on a large scale. Some Hestia installations might contain tens or hundreds of web sites with Let’s Encrypt SSL Support and thus it would be a PITA to manually (find what certificates are affected and) renew them.

Is there any other way to force renew all Let’s Encrypt certificates? Even the ones that are not affected by the bug.

1 Like

Did you got any notification from let’s encrypt that your cert is getting revoked? Currently there is no way to mass rebuild the certificate. Basicly this could be done with a few lines of bash scripts - but I dont know if you would hit a let’s encrypt limit due to the mass registration of new certs.

none of my domains are currently affected, also I’m not sure if this is anyway related to hestia, because hestia doesnt use caa dns records for let’s encrypt validation (only for wildcard, but then you would anyway need to have a hestia dns cluster).

Good point @ScIT about hitting some LE limit on mass renew. That didn’t cross my mind at all. So even if we create a bash script to perform mass renewal, that might not prove useful at all.

Yes, it might not be related to Hestia at all. But having in mind that quite a few sysadmins are migrating from Vesta, there might be some certificate cases that need to renew (I got some notification emails already from LE).

In any case, I’m marking this topic as solved :slight_smile:

If you need to automate, https://github.com/hestiacp/hestiacp/blob/master/bin/v-update-letsencrypt-ssl might be a starting point for a script that renews the ssl certs, it will also handle certs used by the email stack.