Remove all expired certificates from Security - TLS/SSL - Certificates (CRT)
Open Discussion
As a cPanel User, I would like to add a single button to delete all the expired certificates in AutoSSL so that it will simplify the process of updating SSL certificates.
==========
The AutoSSL addon don't deletes older certificates when they expire.
They're laying on the system until you manually deletes they.
We can do it one by one on cPanel / Security / TLS-SSL / Certificates (CRT).
What about a single button to delete all the expired certificates (looking the expiration date of the cert) in a single click?
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
This is a must and the fact the API lacks the necessary linkage to make it easier is definitely frustrating when you have tons of domains not updating due to expired and were previously installed by Let's Encrypt vs Comodo or vice versa.
Came up with this workaround for now which appears to be working great on my tests.
Check for expired certs:
for cert in $(/usr/local/cpanel/bin/whmapi1 fetch_ssl_vhosts| grep -E 'id: '|sed -e 's/^[ \t]*//' -e 's/id: //g');do cert_epoch=$(echo ${cert} |rev |cut -d_ -f2|rev); primary_domain=$(echo ${cert} |cut -d_ -f1,2|sed 's|_|.|g'); username=$(sudo grep ${primary_domain} /etc/userdomains | sed 's/.*://' |sed -e 's/^[ \t]*//'| sort -u) ; if [[ $(date +%s) -gt ${cert_epoch} ]]; then echo ""; echo "Expired SSL Cert: ${cert}" for user:${username} ; fi ; doneCheck for Expired and delete:
for cert in $(/usr/local/cpanel/bin/whmapi1 fetch_ssl_vhosts| grep -E 'id: '|sed -e 's/^[ \t]*//' -e 's/id: //g');do cert_epoch=$(echo ${cert} |rev |cut -d_ -f2|rev); primary_domain=$(echo ${cert} |cut -d_ -f1,2|sed 's|_|.|g'); username=$(sudo grep ${primary_domain} /etc/userdomains | sed 's/.*://' |sed -e 's/^[ \t]*//'| sort -u) ; if [[ $(date +%s) -gt ${cert_epoch} ]]; then echo ""; echo "Expired SSL Cert: ${cert}" for user:${username} ; echo "Deleting SSL Cert."; uapi --user=${username} SSL delete_cert id=${cert} ; fi ; doneThis is something if looking at the way the API functions for this doesn't make any sense why it should be this difficult to do as an administrator via API or as the end user in the cPanel.
In the AutoSSL settings where you have the replace expiring or expired is kinda pointless when enabled and its not fixing these till manually removed. this has been confirmed on numerous current v88 centos 7 servers.
https://docs.cpanel.net/whm/ssl-tls/manage-autossl/#allow-autossl-to-replace-invalid-or-expiring-non-autossl-certificates
Reference links:
https://features.cpanel.net/topic/delete-multiple-ssl-hosts
https://forums.cpanel.net/threads/remove-ssl-certificate.541091/
Api why can root not just delete the expired?
https://documentation.cpanel.net/display/DD/UAPI+Functions+-+SSL::delete_cert
Why is there a username requirement? and no automated lookup if you simply provide the explicit cert id to have deleted as root?
[root@cpanel ~]# cert="addondomain1_primarydomain_com_dda9f_47505_1605225599_8c8a54db8ca542aab9f341d71579b87c"; cert_epoch=$(echo ${cert} |rev |cut -d_ -f2|rev) ; if [[ ${cert_epoch} -gt $(date +%s) ]]; then echo "Deleting SSL Cert: ${cert}"; uapi --user=root SSL delete_cert id=${cert} ; fimetadata: {}There's also no whmapi function from what i could find to delete as root either.
Please add these necessary api calls or adjust the system so it works without needing these extra workarounds.
Thanks.
This is a must and the fact the API lacks the necessary linkage to make it easier is definitely frustrating when you have tons of domains not updating due to expired and were previously installed by Let's Encrypt vs Comodo or vice versa.
Came up with this workaround for now which appears to be working great on my tests.
Check for expired certs:
for cert in $(/usr/local/cpanel/bin/whmapi1 fetch_ssl_vhosts| grep -E 'id: '|sed -e 's/^[ \t]*//' -e 's/id: //g');do cert_epoch=$(echo ${cert} |rev |cut -d_ -f2|rev); primary_domain=$(echo ${cert} |cut -d_ -f1,2|sed 's|_|.|g'); username=$(sudo grep ${primary_domain} /etc/userdomains | sed 's/.*://' |sed -e 's/^[ \t]*//'| sort -u) ; if [[ $(date +%s) -gt ${cert_epoch} ]]; then echo ""; echo "Expired SSL Cert: ${cert}" for user:${username} ; fi ; doneCheck for Expired and delete:
for cert in $(/usr/local/cpanel/bin/whmapi1 fetch_ssl_vhosts| grep -E 'id: '|sed -e 's/^[ \t]*//' -e 's/id: //g');do cert_epoch=$(echo ${cert} |rev |cut -d_ -f2|rev); primary_domain=$(echo ${cert} |cut -d_ -f1,2|sed 's|_|.|g'); username=$(sudo grep ${primary_domain} /etc/userdomains | sed 's/.*://' |sed -e 's/^[ \t]*//'| sort -u) ; if [[ $(date +%s) -gt ${cert_epoch} ]]; then echo ""; echo "Expired SSL Cert: ${cert}" for user:${username} ; echo "Deleting SSL Cert."; uapi --user=${username} SSL delete_cert id=${cert} ; fi ; doneThis is something if looking at the way the API functions for this doesn't make any sense why it should be this difficult to do as an administrator via API or as the end user in the cPanel.
In the AutoSSL settings where you have the replace expiring or expired is kinda pointless when enabled and its not fixing these till manually removed. this has been confirmed on numerous current v88 centos 7 servers.
https://docs.cpanel.net/whm/ssl-tls/manage-autossl/#allow-autossl-to-replace-invalid-or-expiring-non-autossl-certificates
Reference links:
https://features.cpanel.net/topic/delete-multiple-ssl-hosts
https://forums.cpanel.net/threads/remove-ssl-certificate.541091/
Api why can root not just delete the expired?
https://documentation.cpanel.net/display/DD/UAPI+Functions+-+SSL::delete_cert
Why is there a username requirement? and no automated lookup if you simply provide the explicit cert id to have deleted as root?
[root@cpanel ~]# cert="addondomain1_primarydomain_com_dda9f_47505_1605225599_8c8a54db8ca542aab9f341d71579b87c"; cert_epoch=$(echo ${cert} |rev |cut -d_ -f2|rev) ; if [[ ${cert_epoch} -gt $(date +%s) ]]; then echo "Deleting SSL Cert: ${cert}"; uapi --user=root SSL delete_cert id=${cert} ; fimetadata: {}There's also no whmapi function from what i could find to delete as root either.
Please add these necessary api calls or adjust the system so it works without needing these extra workarounds.
Thanks.
Replies have been locked on this page!