Cannot revoke and create new SSL certificate


#1

So I stumbled upon an interesting scenario and need some help quite quickly because I can no longer access my encrypted site :confused:

Basically, I created the following SSL certificate for

cloud.mysite.org
All was workng well and then I decided I wanted to provide that for the actual main site so I did…

./letsencrypt-auto apache -d cloud.mysite.org -d www.mysite.org

But this in fact caused the certificate and browsers to get confused. I realize now (perhaps it’s a bug) but the second item should have been at the start no vic versa. I no longer was receiving a ‘safe’ certificate on the subdomain.

So then I revoked the certificate locally and attempted to create a new one. Ironically, no matter what I do the certificate is ALWAYS regenerated with the www.mysite.org even though I have another certificate specifically just for that.

Any help would be super awesome!!


#2

Not exactly the same problem, but something similar happened for me.


#3

Hmmm not exactly the same issue since you did not revoke your original key. But definitely an issue related to the attachment of other domains on the same key


#4

Would you mind sharing your <VirtualHost>s and your domain?

A couple of things:

  • Revocation is usually not something you need to bother with unless your private key is stolen. It’s not what you need to do when you’re replacing a certificate, or if there’s a problem with your certificate or configuration (it doesn’t actually fix any of that, it just tells browsers: This cert is bad).
  • The order in which you list the domains doesn’t matter.

#5

Well I agree the order shouldn’t matter but in my case the certificate stopped working.

Here’s my VirtualHost for port 80
ddd

<VirtualHost *:80>
ServerName cloud.mysite.org

Redirect permanent / https://cloud.mysite.org/
RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.mysite.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]

And for 443

<VirtualHost *:443>
ServerName cloud.mysite.org
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
#SSLUseStapling On
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM$
Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
SSLCertificateFile /etc/letsencrypt/live/cloud.mysite.org-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.mysite.org-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/cloud.mysite.org-0001/chain.pem
DocumentRoot /var/www/mysite


#6

I understand the issues around revoking as well but I cannot see anyway in the system to actually remove a domain from a certificate. In my case, it was simply causing issues after it was added. Personally, I don’t understand why but before I added it life was fantastic.


#7

It would help if you could share your domain so we can take a look at the actual site and certificate.

I noticed that your configuration is pointing to a certificate in cloud.mysite.org-0001. This -000X-like directory structure usually gets created when you add additional subdomains to a certificate without using the --expand option. This will create what’s called a new certificate lineage, leaving the previous certificate in place. It tends to be rather confusing.

I’d recommend taking a look around in other subdirectories of /etc/letsencrypt/live/ and checking which domains are covered by the cert.pem files in there. You can do that using openssl x509 -text -noout -in /etc/letsencrypt/live/cloud.mysite.org-0001/cert.pem | grep DNS.

Another option would be to start from scratch, include all domains you’ll need right away and using --expand for any future additions. I wrote a post on how to delete certificate lineages a while back which might be of use here. Given that you’re also using the apache plugin, you’d have to delete any reference to /etc/letsencrypt/ from your apache configuration first (for example via grep -r "/etc/letsencrypt" /etc/apache2/).


#8

Thanks for the awesome tutorial. In the end I had no choice but to remove all the certificates and regenerate them. Ah well!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.