Update SSL options for all existing accounts

david · February 10, 2025, 2:39pm

So as you know, SSL always seem to expire on their own or a few certs get dropped at renewal. To resolve this I’ve moved all websites onto Cloudflare so they can manage the SSL renewal process for me. (I give up )

The final step is to change two options:

Perform IP validation prior to certificate request.
Enable strict tolerance. Certificates may not drop a hostname during renewal or issuance due to DNS or unreachability.

How can I modify them for all existing sites / accounts? If you could provide cli command that would be great!

msaladna · February 10, 2025, 6:04pm

Use a collection to enumerate over each site (or just script in bash for * in site*; do ... ; done):

cpcmd -o json admin:collect | jq -r 'keys[]' | while read SITE ; do 
    echo $SITE
    cpcmd -d $SITE common:set-preference letsencrypt.verifyip false
    cpcmd -d $SITE common:set-preference letsencrypt.sensitivity false
done

Preference reference

Be sure to alter the defaults in config.ini as well, [letsencrypt] => verify_ip + [letsencrypt] => strict_mode.

david · February 11, 2025, 2:30pm

Thank you so very much