Certificate Revoke Error. The request message was malformed :: No such certificate


#1

My domain is: chnypc.net

I ran this command: certbot revoke --cert-path 1.pem

It produced this output: The request message was malformed :: No such certificate

My web server is (include version): --manual

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

hi,

i’m trying to revoke my old certificate without certificate key or account key with this article. https://letsencrypt.org/docs/revoking/#using-a-different-authorized-account, But i’m getting this error;

The request message was malformed :: No such certificate

My certificates;
https://crt.sh/?q=%.chnypc.net


#2

Hi @chnypc

Could you share the contents of 1.pem in this thread?

Are you also providing the --key-path /PATH/TO/key.pem argument? (Please don’t post the contents of this one in the thread!)


#3

Hi @cpu

Pem file is below.

I don’t have key file, i was delete it and getting error when apply this directive (https://letsencrypt.org/docs/revoking/#using-a-different-authorized-account) .

i have created new SSL Certificate with same and non existing domain.

[root@webserver ssls]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: chnypc.net
Domains: chnypc.net acme.chnypc.net le.chnypc.net www.chnypc.net
Expiry Date: 2018-12-17 07:30:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/chnypc.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/chnypc.net/privkey.pem


[root@webserver ssls]# certbot revoke --cert-path 1.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.

1.pem;
-----BEGIN CERTIFICATE-----
MIIFEDCCA/igAwIBAgISA8GY2jyCI3bG2WZ/h15yTsA/MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA5MTcwOTExMzFaFw0x
ODEyMTYwOTExMzFaMBcxFTATBgNVBAMMDCouY2hueXBjLm5ldDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALV3zVywEm0mF80oa7JeGCufCw9ESJYImfWC
XXAU7Ml/fXNDIUovIAGO9AaZrwG/d182jzEHOZLB0YNgi2rPoXwYh9pRbzypfSHx
BR5+yyyMCiTZXWE6nggY0VANISPbD7DI3xeTTqOvY0LQz+Yw8suUXcgZzQ9do23B
80GKYOweFGd07/+PA28S+ko6+4P1YHQK7NQQ7IBbpeONUrxda9Ig1/I2gBomD/p4
XWlUSN/6eQQfwM20FZP2aKfv2IDgXfEMKImwlLWTwoQPrbuNAKS9wgfzF2/R+Ooy
rpKyygXsUJEdnE8FLiA6Nd7OIuDgsmpjrworr2X23hxrghVksK8CAwEAAaOCAiEw
ggIdMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6x1qM+kCktiz5ox3Jj5mon0CDkYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh
MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAXBgNVHREEEDAOggwqLmNobnlwYy5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwB
AgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRl
IG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQg
b25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBm
b3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzATBgor
BgEEAdZ5AgQDAQH/BAIFADANBgkqhkiG9w0BAQsFAAOCAQEAOMBN8oTekScPCkXS
uyszlFGeHpiLNKU7i0KWx901c+D7C8bxq7RljVWVg7qwUdrj7aPtTK8wyzZ9Is5F
zNWiVO80Fe+LTb1X9VdEz9GQfllu9pnqevsbe8n+lKCBv5+32FoEkjd4jBifcWaT
edwAerDq90/GoO3bUGwdAyBSkCXTgDWqPuBVofqmz1Q6QDvMXVQQgLwLW+s2SRq1
bNJGbwXj5/zdJsdDFwSKOS29a3HDpyp4/lV7LOK7kiCpZRg4uaIr8pRW7x604mLY
yp8f2c9Y7c2LwEeiyCy3xu9JSVaTY1YUuL8W9gQjm/OttXUP5nclwAWh/jcgJ+G/
2hl+SQ==
-----END CERTIFICATE-----

letsencrypt.log
letsencrypt.log.txt (9.9 KB)


#4

Hi @chnypc,

Thanks for the additional information!

You can’t revoke the certificate using --cert-path without having the certificate’s private key or having valid authorizations for every domain in the certificate as well or anyone could revoke any certificate.

Can we take a step back: Why are you trying to revoke this certificate? Unless you think the private key has been compromised I recommend that you don’t revoke the certificate.

If you absolutely must revoke the certificate you should share the error you’re receiving when following the “using a different authorized account” instructions. That’s the only process that will let you revoke the certificate without the original private key.


#5

Hi again @cpu,

I should revoke the all certificates. How can i do validation for every domain in the certificate?


#6

Following the instructions from “Using a different authorized account”.

What are the domain names on each certificate? How did you issue them originally using Certbot?


#7

i was issue certificates using PHP API Client..

Now, for example i’m trying the revoke this certificate.

This certificate does not have a common name other than le.chnypc.net, and i don’t have any private or public key.

I’m creating new SSL Certificate with this command.
certbot certonly --manual --preferred-challenges=dns -d le.chnypc.net

Downloading PEM from crt.sh
wget https://crt.sh/?d=724245747 -O test.pem

and trying revoke certificate.
[root@webserver pem]# certbot revoke --cert-path test.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.

and with non existing domain;

certbot certonly --manual --preferred-challenges=dns -d le.chnypc.net -d nonexistent.chnypc.net

[root@webserver pem]# certbot revoke --cert-path test.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
The request message was malformed :: No such certificate
Please see the logfiles in /var/log/letsencrypt for more details.

i think i’m doing basic error but i can’t find it, maybe i didn’t understand document as correct.


#8

Were you using the HTTP-01 or DNS-01 support with this client?

What is the output from this command? I suspect this isn’t completing successfully. Are you adding the TXT record that Certbot prompts you to add?


#9

i’m using dns challenge, and certbot commands outputs always was successful. i’m adding the logs to the attachment.
letsencrypt.log.1.txt (29.1 KB)
letsencrypt.log.txt (10.7 KB)
letsencrypt.log.3.txt (10.7 KB)
letsencrypt.log.4.txt (35.7 KB)


#10

That’s a precertificate.

You’ll need to find and revoke the actual certificate instead. I can’t seem to find it on crt.sh though, I guess it must still be running behind. Anyone know another way? (was there a way to get a cert by serial number from ACME or something like that?)

EDIT: found it, try this

curl https://acme-v01.api.letsencrypt.org/acme/cert/03242fb17e400b625aeb160e9f9e7243d9e5 | openssl x509 -inform der -outform pem > test.pem

#11

hi @jmorahan

i think it’s work. Does it seems as revoked in crt.sh? and how can i generate cert url?


#12

Yes.

You mean like https://acme-v01.api.letsencrypt.org/acme/cert/03242fb17e400b625aeb160e9f9e7243d9e? The bit at the end is the certificate serial number, which you can find on crt.sh (it’s the same for the precertificate and the actual certificate), without the colons.


#13

Good catch @jmorahan


#14

@cpu @jmorahan, thanks to both. It’s working correctly.

I guess document must updated :slight_smile:


#15

@cpu @jmorahan

Last question.

i have multiple issued certificate for wildcard *.chnypc.net and for revoke this certificate without any key i must create new certificate for *.chnypc.net.

and for revoke i run this command “certbot certonly --manual --preferred-challenges=dns -d *.chnypc.net”

and it’s getting error

*Error finalizing order :: too many certificates already issued for exact set of domains: .chnypc.net

how can i revoke this certificate?

ps: other certificates has been revoked successful.


#16

You don’t have to create a new certificate. You have to complete most of the steps of creating a new certificate: you have to validate the names, but don’t have to issue a certificate. Some ACME clients may make it difficult or impossible to do one without also doing the other.

At this point, you can just do it. Validation succeeded. It failed at a later step in the process.

Do you need to issue any more certificates for that exact set of names?


#17

There is no error while validation process.

Yes, because i don’t have any certificate key or account key for this (*.chnypc.net) domain.


#18

That rate limiting error happens when 5 certificates have recently been issued for the exact set of names. Can you use one of them?


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.