About revoking certificate


#1

Hi, I have just revoked certificates of my website (http://gamek.es) using letsencrypt-auto revoke command on Ubutun Server 16. The command succeded but the webpage appears with a red lock in the browser:

Google Chrome doesn’t stop spamming me that the web is not secure and I must abandon it… Is there any way to restore the web security configuration as before installing Let’s Encrypt certificates? I mean with the white webpage icon, not the red or green lock.

Thanks :slight_smile:


#2

You currently have a certificate installed for www.gamek.es and not gamek.es - hence the warnings.

https://www.gamek.es/index.php looks to work OK.

In your config, you have a redirect from http to https://gamek.es/ (without the www), hence you are getting the errors.

To have just a http only site, you will need to remove the redirect to https. this is likely to be in your files in /etc/apache2/sites-available

Are you sure you want to remove https completely though ? or do you want to overcome the red lock errors ?


#3

Did you use letsencrypt-auto with the apache plugin, i.e. did the client setup the certificates in your web server, or did you do that manually?

If you used the apache plugin, you can likely use the ./letsencrypt-auto rollback command to undo the configuration changes that enabled SSL. (You’ll obviously also have to make sure to only link to the http:// version of your site everywhere.)

If you manually changed your web server configuration to enable SSL/TLS, you’ll have to undo those changes manually as well. This probably involves removing the SSL <VirtualHost>. Happy to help if you provide your configuration files, or in case we can help you with fixing the issues that are causing you to drop SSL! :smile:

To clarify what revocation is about, that’s basically a way for you to tell the CA (Let’s Encrypt) and browsers that the certificate you obtained for your site is not to be trusted anymore, for example because the private key was stolen. It’s not a way to uninstall or disable SSL in your web server.


#4

My goal is to remove all Let’s Encrypt certificates because I believe I installed them wrong, because I had the green lock but some friends of mine had red lock, so some people have errors and other not. I want to have certificates on gamek.es and all its subdomains (www. for example). But I remember using revoke command to revoke that last certificate as well, I’m a bit confused now. If the www. certificate y correctly installed, is there any way to fix the gamek.es issue and install the certificate again?


#5

I have installed certificates through letsencrypt-auto with the apache plugin, yes. But the rollback commando doesn’t seem to fix the issue. Which configuration files should I provide you?


#6

What happens when you run the rollback command? Could you try it with ./letsencrypt-auto rollback -vvvvv and provide the full output and log files from /var/log/letsencrypt?


#7

When I use that command, the console prints this:

These are the logs:
2016-06-30 17:20:53,887:DEBUG:certbot.main:Root logging level set at -20 2016-06-30 17:20:53,897:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2016-06-30 17:20:53,906:DEBUG:certbot.main:certbot version: 0.8.1 2016-06-30 17:20:53,914:DEBUG:certbot.main:Arguments: ['-vvvvv'] 2016-06-30 17:20:53,922:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoi$ 2016-06-30 17:20:54,420:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache Description: Apache Web Server - Alpha Interfaces: IAuthenticator, IInstaller, IPlugin Entry point: apache = certbot_apache.configurator:ApacheConfigurator Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x6915fa79e4d0> Prep: True

Now it seems that gamek.es doesn’t work, only www.gamek.es works.


#8

Hm, not sure what that output means. From what I can see, your server is not listening on port 443 (https) right now, so maybe the first rollback worked?

I can browse to both http://www.gamek.es/ and http://gamek.es/. When you browse to http://gamek.es, does the URL change to https://gamek.es (i.e. http becomes https)? In that case, you might have enabled redirecting all traffic to https:// previously, and your browser still has that redirect cached. Trying with a clean cache or a different browser should help confirm this.


#9

Cool! That worked. The problem was Chrome’s cache. At the moment, there is no certificate installed, both www.gamek.es and gamek.es seem not to have secure navigation. At this point, is it safe to reinstall certificates to main web gamek.es and its subdomains (www. ) with the ./letsencrypt-auto command? I don’t want to break SSL again haha

Thanks for all the help by the way :slight_smile:


#10

Without knowing the reason why some of your friends saw a red lock for the site, it’s hard to say whether repeating the process will result in a working configuration. The issue doesn’t necessarily have to be with the certificate. You’ll probably also want to make sure that you have explicit ServerAlias directives for all (sub)domains that you need - that’s how the client determines which domain it should add to the certificate.

Once you’ve re-enabled SSL, SSL Labs should show any remaining issues with your configuration.


#11

How can I do that? Once I know, I’ll try to install certificates again. Hope it works!


#12

You likely have one or more files in /etc/apache2/sites-enabled. Those files include <VirtualHost> tags with a ServerName directive, probably something like this:

<VirtualHost *:80>
  ServerName gamek.es
  # ... more stuff
</VirtualHost>

If you also want to use www.gamek.es, you need to add a ServerAlias:

<VirtualHost *:80>
  ServerName gamek.es
  ServerAlias www.gamek.es
  # ... more stuff
</VirtualHost>

Once you’ve added all the domains to your configuration, run letsencrypt-auto again and you should be getting a certificate that covers all subdomains you use.


#13

It worked!! Thanks a lot :slight_smile:

Whenever I want to add a new subdomain to the certificate, I just need to add more ServerAlias? O I do this through a letsencrypt command?


#14

I’d say your best option is to add a ServerAlias whenever that happens, if the new domain should be serving the same site.

If it’s a different site (e.g. a different DocumentRoot or something like that), I would add a new file in /etc/apache2/sites-available (basically a copy of your port 80 <VirtualHost>, changing the ServerName and possibly ServerAlias), then enable it with a2ensite <filename> and then run the client again to get a certificate for that domain and add a SSL vhost to your apache config.


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.