cull does not delete links in live

[Mrten]

I used to have a desired domein with 'michiel' in it. I don't anymore:

root@acme:/var/lib/acme# fgrep michiel * -R
root@acme:/var/lib/acme#

but acmetool cull does not delete the symlink in live:

root@acme:/var/lib/acme/live# ls -alsF *michiel*
0 lrwxrwxrwx 1 acme acme 61 Apr  1  2016 michiel.afvalonline.nl -> ../certs/qrkcr5fleuzp4hirthkc2rzjhypjdpgmcnxwy3bdfkpdmjdjoeda/

nor is it valid anymore:

root@acme:/var/lib/acme/live# openssl x509 -in ../certs/qrkcr5fleuzp4hirthkc2rzjhypjdpgmcnxwy3bdfkpdmjdjoeda/cert -text | fgrep -A 2 Validity
        Validity
            Not Before: Apr  1 19:41:00 2016 GMT
            Not After : Jun 30 19:41:00 2016 GMT

er, i now see this is 0.0.50, i'll try 0.0.58 later.

[Mrten]

0.0.58 does not help.

[hlandau]

This is as (currently) designed. Certificates currently referenced by live/ are not culled by cull, even if they are expired, as they represent the best available certificate for that hostname. The idea is that if any webserver were referencing that certificate, it's probably better to serve an expired certificate than none at all, as with most webservers that will prevent the server starting at all.

Deleting the symlink and then running cull should be an effective workaround.

[Mrten]

Understood! Change this into a feature request for acmetool cleanup then perhaps?