Cannot revoke and create new SSL certificate

So I stumbled upon an interesting scenario and need some help quite quickly because I can no longer access my encrypted site :confused:

Basically, I created the following SSL certificate for
All was workng well and then I decided I wanted to provide that for the actual main site so I did…

./letsencrypt-auto apache -d -d

But this in fact caused the certificate and browsers to get confused. I realize now (perhaps it’s a bug) but the second item should have been at the start no vic versa. I no longer was receiving a ‘safe’ certificate on the subdomain.

So then I revoked the certificate locally and attempted to create a new one. Ironically, no matter what I do the certificate is ALWAYS regenerated with the even though I have another certificate specifically just for that.

Any help would be super awesome!!

Not exactly the same problem, but something similar happened for me.

Hmmm not exactly the same issue since you did not revoke your original key. But definitely an issue related to the attachment of other domains on the same key

Would you mind sharing your <VirtualHost>s and your domain?

A couple of things:

  • Revocation is usually not something you need to bother with unless your private key is stolen. It’s not what you need to do when you’re replacing a certificate, or if there’s a problem with your certificate or configuration (it doesn’t actually fix any of that, it just tells browsers: This cert is bad).
  • The order in which you list the domains doesn’t matter.

Well I agree the order shouldn’t matter but in my case the certificate stopped working.

Here’s my VirtualHost for port 80

<VirtualHost *:80>

Redirect permanent /
RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]

And for 443

<VirtualHost *:443>
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
#SSLUseStapling On
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/
DocumentRoot /var/www/mysite

I understand the issues around revoking as well but I cannot see anyway in the system to actually remove a domain from a certificate. In my case, it was simply causing issues after it was added. Personally, I don’t understand why but before I added it life was fantastic.

It would help if you could share your domain so we can take a look at the actual site and certificate.

I noticed that your configuration is pointing to a certificate in This -000X-like directory structure usually gets created when you add additional subdomains to a certificate without using the --expand option. This will create what’s called a new certificate lineage, leaving the previous certificate in place. It tends to be rather confusing.

I’d recommend taking a look around in other subdirectories of /etc/letsencrypt/live/ and checking which domains are covered by the cert.pem files in there. You can do that using openssl x509 -text -noout -in /etc/letsencrypt/live/ | grep DNS.

Another option would be to start from scratch, include all domains you’ll need right away and using --expand for any future additions. I wrote a post on how to delete certificate lineages a while back which might be of use here. Given that you’re also using the apache plugin, you’d have to delete any reference to /etc/letsencrypt/ from your apache configuration first (for example via grep -r "/etc/letsencrypt" /etc/apache2/).

1 Like

Thanks for the awesome tutorial. In the end I had no choice but to remove all the certificates and regenerate them. Ah well!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.