Certificate Revoke Error. The request message was malformed :: No such certificate

My domain is: chnypc.net

I ran this command: certbot revoke --cert-path 1.pem

It produced this output: The request message was malformed :: No such certificate

My web server is (include version): --manual

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


i’m trying to revoke my old certificate without certificate key or account key with this article. https://letsencrypt.org/docs/revoking/#using-a-different-authorized-account, But i’m getting this error;

The request message was malformed :: No such certificate

My certificates;

Hi @chnypc

Could you share the contents of 1.pem in this thread?

Are you also providing the --key-path /PATH/TO/key.pem argument? (Please don't post the contents of this one in the thread!)

Hi @cpu

Pem file is below.

I don’t have key file, i was delete it and getting error when apply this directive (https://letsencrypt.org/docs/revoking/#using-a-different-authorized-account) .

i have created new SSL Certificate with same and non existing domain.

[root@webserver ssls]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: chnypc.net
Domains: chnypc.net acme.chnypc.net le.chnypc.net www.chnypc.net
Expiry Date: 2018-12-17 07:30:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/chnypc.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/chnypc.net/privkey.pem

[root@webserver ssls]# certbot revoke --cert-path 1.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.


letsencrypt.log.txt (9.9 KB)

Hi @chnypc,

Thanks for the additional information!

You can't revoke the certificate using --cert-path without having the certificate's private key or having valid authorizations for every domain in the certificate as well or anyone could revoke any certificate.

Can we take a step back: Why are you trying to revoke this certificate? Unless you think the private key has been compromised I recommend that you don't revoke the certificate.

If you absolutely must revoke the certificate you should share the error you're receiving when following the "using a different authorized account" instructions. That's the only process that will let you revoke the certificate without the original private key.

Hi again @cpu,

I should revoke the all certificates. How can i do validation for every domain in the certificate?

Following the instructions from "Using a different authorized account".

What are the domain names on each certificate? How did you issue them originally using Certbot?

i was issue certificates using PHP API Client..

Now, for example i’m trying the revoke this certificate.

This certificate does not have a common name other than le.chnypc.net, and i don’t have any private or public key.

I’m creating new SSL Certificate with this command.
certbot certonly --manual --preferred-challenges=dns -d le.chnypc.net

Downloading PEM from crt.sh
wget https://crt.sh/?d=724245747 -O test.pem

and trying revoke certificate.
[root@webserver pem]# certbot revoke --cert-path test.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.

and with non existing domain;

certbot certonly --manual --preferred-challenges=dns -d le.chnypc.net -d nonexistent.chnypc.net

[root@webserver pem]# certbot revoke --cert-path test.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.

i think i’m doing basic error but i can’t find it, maybe i didn’t understand document as correct.

Were you using the HTTP-01 or DNS-01 support with this client?

What is the output from this command? I suspect this isn't completing successfully. Are you adding the TXT record that Certbot prompts you to add?

i’m using dns challenge, and certbot commands outputs always was successful. i’m adding the logs to the attachment.
letsencrypt.log.1.txt (29.1 KB)
letsencrypt.log.txt (10.7 KB)
letsencrypt.log.3.txt (10.7 KB)
letsencrypt.log.4.txt (35.7 KB)

That's a precertificate.

You'll need to find and revoke the actual certificate instead. I can't seem to find it on crt.sh though, I guess it must still be running behind. Anyone know another way? (was there a way to get a cert by serial number from ACME or something like that?)

EDIT: found it, try this

curl https://acme-v01.api.letsencrypt.org/acme/cert/03242fb17e400b625aeb160e9f9e7243d9e5 | openssl x509 -inform der -outform pem > test.pem
1 Like

hi @jmorahan

i think it’s work. Does it seems as revoked in crt.sh? and how can i generate cert url?


You mean like https://acme-v01.api.letsencrypt.org/acme/cert/03242fb17e400b625aeb160e9f9e7243d9e? The bit at the end is the certificate serial number, which you can find on crt.sh (it's the same for the precertificate and the actual certificate), without the colons.

1 Like

Good catch @jmorahan

@cpu @jmorahan, thanks to both. It’s working correctly.

I guess document must updated :slight_smile:

1 Like

@cpu @jmorahan

Last question.

i have multiple issued certificate for wildcard *.chnypc.net and for revoke this certificate without any key i must create new certificate for *.chnypc.net.

and for revoke i run this command “certbot certonly --manual --preferred-challenges=dns -d *.chnypc.net”

and it’s getting error

*Error finalizing order :: too many certificates already issued for exact set of domains: .chnypc.net

how can i revoke this certificate?

ps: other certificates has been revoked successful.

You don't have to create a new certificate. You have to complete most of the steps of creating a new certificate: you have to validate the names, but don't have to issue a certificate. Some ACME clients may make it difficult or impossible to do one without also doing the other.

At this point, you can just do it. Validation succeeded. It failed at a later step in the process.

Do you need to issue any more certificates for that exact set of names?

There is no error while validation process.

Yes, because i don't have any certificate key or account key for this (*.chnypc.net) domain.

That rate limiting error happens when 5 certificates have recently been issued for the exact set of names. Can you use one of them?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.