Client in manual mode revocation issue?


#1

I tested letsencrypt with “-d example.com certonly” until the rate-limiting feature was in place


You have an existing certificate that contains exactly the same domains you
requested (ref: /etc/letsencrypt/renewal/example.conf)
Do you want to renew and replace this certificate with a newly-issued one?

®eplace/©ancel:

I tried **®**eplace many times and luckily I got every time a new one.
Then I checked crt.sh and I discovered 5 active certificates(!).

My question is how and where can I see if the older certificates are revoked,
which one is currently in place?

BTW my client is letsencrypt-0.0.0.dev.20151114-1 on docker alpine linux

Thx


#2

When the client asks whether you want to replace the certificate, it’s talking about the files in /etc/letsencrypt/live. Renewed/Replaced certificates are not automatically revoked, so in theory all of them would work. You can always find the symlink to the “current” one in /etc/letsencrypt/live/example.com/cert.pem.

Old certificates are still available in /etc/letsencrypt/archive and could theoretically still be used (unless they have since expired). If all of your 5 certificates are stored the same way on your production machine, personally I would not revoke them. Any attack that exposes those certificates would also expose the current one (which wouldn’t be revoked). If you moved between machines or if some of those certificates were stored in a non-trusted environment, I’d definitely revoke them.