Certify is doing a good job of obtaining certificates and applying the bindings, etc. for our 2016 server, however, after using it for a few months, we are now accumulating many duplicate certificates as it is renewing every 14 days. I see it’s supposed to do some cleanup, but I’m not sure it’s happening. We recently upgraded to the latest version and checked the ‘daily cleanup’ box, so maybe that will help?
The bigger problem is that we are now getting expiry bot notifications from let’s encrypt for all the old certificates. Is anyone else seeing that? Is that also related to clean-up? Will it revoke those old certs with the clean-up process?
If you renew an identical certificate, you shouldn’t get an expiration email. The only times I’ve gotten an expiration warning is for the staging certificates expiring or when adding an alt-name to a certificate request, the old certificate will expire with warning.
I feel like I’ve read that the old certificates will only get cleaned up after they expire, plus a month or so. So if you renew every half-month and the certificates are valid for 3 months, you’ll end up with 8 certificates before they’re cleaned up. Or something?
That makes sense on the number of certificates and I guess there could be some certificates that have changed. I’ll keep any eye on it. I appreciate the response.
Hi, as @jljtgr pointed out you will receive emails from Let’s Encrypt about certificates that have changed (domains added/removed) until they expire. There is no way to change that currently.
If you have certificate cleanup set to Daily Full Cleanup you should have no unused certificates in your Certificate Store, we basically gather up all the thumbprints currently in use and delete anything with [Certify] in the Friendy Name that’s not on the list of currently used thumbprints. So now you should have roughly the same list of certificates as you have managed in certify. Future versions will also do more cleanup of on-disk assets (this is implemented in dev) under c:\programdata\certify.