Cant disable properly a certificate for re-create a new certificate?


#1

Hi LE Community

For delete these domaine i delete manualy files on /ets/letsencrypt/

But he isnt delete i can see my domaine certificate here https://crt.sh/?q=%.imchip.be

I want delete 4 certificate for re-create a new for my new subdomain

But i cant with limit rate

Any tips ?


#2

The deletion of your directory /etc/letsencrypt has no effect on already issued certificates.

Also, revocation of already issued certificates has no effect on the rate limit of 5 certificates per domain per sliding window of 7 days. (But without a backup of your /etc/letsencrypt you can’t even revoke the certificate :stuck_out_tongue:)

You should test and/or experiment with the --staging or --test-cert switch of the official Let’s Encrypt client. It generates fake certificates, but has less strict rate limits. When you’re satisfied with all the options of the client, you can drop the --test-cert switch, so it generates a good certificate.


#3

Ty for this reply

i will try now


#4

So i cant remove a certificate if already generated and i remove my folder /etc/letsencrypt/


Remove domain not required from cert
#5

Correct. If you remove the folder /etc/letsencrypt, you won’t have the certificate anymore (and, more importantly, you also won’t have the corresponding private key to revoke the certificate), but every single certificate you’ve issued in the past will be online and shared with the whole world on http://crt.sh. But that last part you knew already, I hope :wink:

Ofcourse, if you’ve deleted your directory, you can download the certificate again from crt.sh, but it will be useless for your server without its private key. So don’t delete /etc/letsencrypt unless you’ve made a backup of it.


#6

im a lucker
my backup server contains files /ets/letsencrypt with my certificates

For revoke a certificate
"./letsencrypt-auto revoke --key-path /etc/letsencrypt/keys/0000_key-letsencrypt.pem "

how to know what is the certificate corresponds .pen

its good ?


#7

Hi @Chipie678, just as a reminder, as other people mentioned, revoking the certificates won’t affect the rate limit, so if you can’t get a certificate because too many have already been issued, you still won’t be able to do it after revoking an existing certificate.

You can find out the content of an existing certificate by running

openssl x509 -in cert.pem -text -noout

(which will show you, for example, who issued it, when it expires, and what domains it applies to - the subject alternative names), and you can see if a private key corresponds to the subject public key in an existing certificate by running

openssl rsa -in privkey.pem -pubout | openssl rsa -pubin -text

and seeing whether the modulus value that is printed there is the same as the modulus value printed by the openssl x509 command.