Certificate Revoke Error. The request message was malformed :: No such certificate

My domain is: chnypc.net

I ran this command: certbot revoke --cert-path 1.pem

It produced this output: The request message was malformed :: No such certificate

My web server is (include version): --manual

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

hi,

i’m trying to revoke my old certificate without certificate key or account key with this article. https://letsencrypt.org/docs/revoking/#using-a-different-authorized-account, But i’m getting this error;

The request message was malformed :: No such certificate

My certificates;
https://crt.sh/?q=%.chnypc.net

Hi @chnypc

Could you share the contents of 1.pem in this thread?

Are you also providing the --key-path /PATH/TO/key.pem argument? (Please don't post the contents of this one in the thread!)

Hi @cpu

Pem file is below.

I don’t have key file, i was delete it and getting error when apply this directive (https://letsencrypt.org/docs/revoking/#using-a-different-authorized-account) .

i have created new SSL Certificate with same and non existing domain.

[root@webserver ssls]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: chnypc.net
Domains: chnypc.net acme.chnypc.net le.chnypc.net www.chnypc.net
Expiry Date: 2018-12-17 07:30:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/chnypc.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/chnypc.net/privkey.pem

[root@webserver ssls]# certbot revoke --cert-path 1.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.

1.pem;
-----BEGIN CERTIFICATE-----
MIIFEDCCA/igAwIBAgISA8GY2jyCI3bG2WZ/h15yTsA/MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA5MTcwOTExMzFaFw0x
ODEyMTYwOTExMzFaMBcxFTATBgNVBAMMDCouY2hueXBjLm5ldDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALV3zVywEm0mF80oa7JeGCufCw9ESJYImfWC
XXAU7Ml/fXNDIUovIAGO9AaZrwG/d182jzEHOZLB0YNgi2rPoXwYh9pRbzypfSHx
BR5+yyyMCiTZXWE6nggY0VANISPbD7DI3xeTTqOvY0LQz+Yw8suUXcgZzQ9do23B
80GKYOweFGd07/+PA28S+ko6+4P1YHQK7NQQ7IBbpeONUrxda9Ig1/I2gBomD/p4
XWlUSN/6eQQfwM20FZP2aKfv2IDgXfEMKImwlLWTwoQPrbuNAKS9wgfzF2/R+Ooy
rpKyygXsUJEdnE8FLiA6Nd7OIuDgsmpjrworr2X23hxrghVksK8CAwEAAaOCAiEw
ggIdMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6x1qM+kCktiz5ox3Jj5mon0CDkYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh
MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAXBgNVHREEEDAOggwqLmNobnlwYy5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwB
AgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRl
IG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQg
b25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBm
b3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzATBgor
BgEEAdZ5AgQDAQH/BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAOMBN8oTekScPCkXS
uyszlFGeHpiLNKU7i0KWx901c+D7C8bxq7RljVWVg7qwUdrj7aPtTK8wyzZ9Is5F
zNWiVO80Fe+LTb1X9VdEz9GQfllu9pnqevsbe8n+lKCBv5+32FoEkjd4jBifcWaT
edwAerDq90/GoO3bUGwdAyBSkCXTgDWqPuBVofqmz1Q6QDvMXVQQgLwLW+s2SRq1
bNJGbwXj5/zdJsdDFwSKOS29a3HDpyp4/lV7LOK7kiCpZRg4uaIr8pRW7x604mLY
yp8f2c9Y7c2LwEeiyCy3xu9JSVaTY1YUuL8W9gQjm/OttXUP5nclwAWh/jcgJ+G/
2hl+SQ==
-----END CERTIFICATE-----

letsencrypt.log
letsencrypt.log.txt (9.9 KB)

Hi @chnypc,

Thanks for the additional information!

You can't revoke the certificate using --cert-path without having the certificate's private key or having valid authorizations for every domain in the certificate as well or anyone could revoke any certificate.

Can we take a step back: Why are you trying to revoke this certificate? Unless you think the private key has been compromised I recommend that you don't revoke the certificate.

If you absolutely must revoke the certificate you should share the error you're receiving when following the "using a different authorized account" instructions. That's the only process that will let you revoke the certificate without the original private key.

Hi again @cpu,

I should revoke the all certificates. How can i do validation for every domain in the certificate?

Following the instructions from "Using a different authorized account".

What are the domain names on each certificate? How did you issue them originally using Certbot?

i was issue certificates using PHP API Client..

Now, for example i’m trying the revoke this certificate.

This certificate does not have a common name other than le.chnypc.net, and i don’t have any private or public key.

I’m creating new SSL Certificate with this command.
certbot certonly --manual --preferred-challenges=dns -d le.chnypc.net

Downloading PEM from crt.sh
wget https://crt.sh/?d=724245747 -O test.pem

and trying revoke certificate.
[root@webserver pem]# certbot revoke --cert-path test.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.

and with non existing domain;

certbot certonly --manual --preferred-challenges=dns -d le.chnypc.net -d nonexistent.chnypc.net

[root@webserver pem]# certbot revoke --cert-path test.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.

i think i’m doing basic error but i can’t find it, maybe i didn’t understand document as correct.

Were you using the HTTP-01 or DNS-01 support with this client?

What is the output from this command? I suspect this isn't completing successfully. Are you adding the TXT record that Certbot prompts you to add?

i’m using dns challenge, and certbot commands outputs always was successful. i’m adding the logs to the attachment.
letsencrypt.log.1.txt (29.1 KB)
letsencrypt.log.txt (10.7 KB)
letsencrypt.log.3.txt (10.7 KB)
letsencrypt.log.4.txt (35.7 KB)

That's a precertificate.

You'll need to find and revoke the actual certificate instead. I can't seem to find it on crt.sh though, I guess it must still be running behind. Anyone know another way? (was there a way to get a cert by serial number from ACME or something like that?)

EDIT: found it, try this

curl https://acme-v01.api.letsencrypt.org/acme/cert/03242fb17e400b625aeb160e9f9e7243d9e5 | openssl x509 -inform der -outform pem > test.pem

hi @jmorahan

i think it’s work. Does it seems as revoked in crt.sh? and how can i generate cert url?

Yes.

You mean like https://acme-v01.api.letsencrypt.org/acme/cert/03242fb17e400b625aeb160e9f9e7243d9e? The bit at the end is the certificate serial number, which you can find on crt.sh (it's the same for the precertificate and the actual certificate), without the colons.

Good catch @jmorahan

@cpu @jmorahan, thanks to both. It’s working correctly.

I guess document must updated

@cpu @jmorahan

Last question.

i have multiple issued certificate for wildcard *.chnypc.net and for revoke this certificate without any key i must create new certificate for *.chnypc.net.

and for revoke i run this command “certbot certonly --manual --preferred-challenges=dns -d *.chnypc.net”

and it’s getting error

*Error finalizing order :: too many certificates already issued for exact set of domains: .chnypc.net

how can i revoke this certificate?

ps: other certificates has been revoked successful.

You don't have to create a new certificate. You have to complete most of the steps of creating a new certificate: you have to validate the names, but don't have to issue a certificate. Some ACME clients may make it difficult or impossible to do one without also doing the other.

At this point, you can just do it. Validation succeeded. It failed at a later step in the process.

Do you need to issue any more certificates for that exact set of names?

There is no error while validation process.

Yes, because i don't have any certificate key or account key for this (*.chnypc.net) domain.

That rate limiting error happens when 5 certificates have recently been issued for the exact set of names. Can you use one of them?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.