A command to undo my CertBot command (to uninstall the cert stack)?


#1

I use Ubuntu 16.04 with Nginx and I create a certificate for WordPress sites with the following command:

certbot --nginx -d ${domain} -d www.${domain}

This is my script in which I run this command:

This is the script with which I undo what’s done:

Note the following command there:

rm -rf /etc/letsencrypt/{live,renewal,archive}/{${DOMAIN},${DOMAIN}.conf}

I use the above command to delete the certs but I’m not sure that’s enough. Either way, is there an automatic command, something which is the opposite of certbot --nginx -d ${domain} -d www.${domain}?

The purpose is to undo everything I did with CertBot (for a given domain), easy and fast, in case of a problem. This can help, and be mentally tranquilizing in case of a problem / failed execution of the first script I shared above.


#2

Yes, rollback, which is (only briefly) described in https://certbot.eff.org/docs/using.html.


#3

Thanks @schoen. I admit it didn’t understand from the man there if the end command should be:

certbot --nginx rollback ${domain}

and if this is actually equivalent to:

rm -rf /etc/letsencrypt/{live,renewal,archive}/{${DOMAIN},${DOMAIN}.conf}
${rse}

A small clarification on this could help me (and I guess some others) greatly.


#4

I believe you don’t specify the domain name (it just undoes the specified number of changes that Certbot has made to your nginx configuration, by default 1 for the most recent change).

I believe it also does not remove the certificates from /etc/letsencrypt, just prevents them from being mentioned in your nginx configuration. If you want to remove the certificates from /etc/letsencrypt, you would use certbot delete. In Certbot jargon, we might say that rollback reverses the effects of the installer (webserver integration), while delete reverses the effects of the authenticator (obtaining the certificates). You can do either one without the other, although doing only delete without rollback will likely make your web server configuration invalid because it will refer to nonexistent files.

I hope that’s clear (and accurate—I’ve never used the rollback command myself and wasn’t involved in its implementation).


#5

Hmm, about rollback or delete — if one doesn’t specify the domain after say rollback, seemingly Certbot wouldn’t have an app to act upon. I assume one should run either delete or rollback from the app’s dir in document root.


#6

I believe that Certbot remembers all of the changes that it has made to your configuration and would therefore undo them in order (rather than undoing a specific one by domain). This might not be what people want in some cases (for example, they might not want to undo the most recent one!), but I believe this is the only know undo functionality that has been implemented so far.

By contrast, delete does require you to specify a particular cert (via --cert-name).

No, that has no effect.


#7

Oh, it seems you mean to a total deletion of everything done with Certbot. I originally meant to deletion only of the data Certbot has added for a particular app, per this app’s domain.


#8

Right, but as it’s currently implemented, Certbot only tracks the changes it’s made in order, and not according to domain names are affected by them. Therefore, it can only reverse them in the same order in which it originally chronologically applied those changes. If Certbot added a configuration for example.com and then later added one for example.org, it can only undo the older example.com change by also undoing the example.org change. That’s not necessarily what people would always want to do, but that’s the only kind of rollback that we have implemented so far.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.