Delete Certificates

I am trying to remove my all my Let's Encrypt certificates so that I can validate my VPS configuration, and then reinstall them all again.

My domains are: lifepngcare.org, lifepng.org, and facepress.org

I can see certificates for them at the Google Transparency Reports website.

I am having issues with Linode support and may move to DigitalOceans soon, because all my websites are down, and I am not getting great support from them. Actually, I had uninstalled the certbot software about seven weeks ago, and every seemed to be working fine.

This is what happened recently: I received email two days ago from letsencrypt.org, and it said "According to our records, your Let's Encrypt software client renewed a TLS/SSL cert recently using the ACMEv1 protocol" -- and it references only a IPv6 address of my VPS. So, I was surprised that my VPS client had made such a request, since I had uninstalled the certbot software and updated and re-enabled (a2ensite) my virtualhost files to not use the certs.

I hadn't even touched my server configuration for about 30 days, but then I found that none of the domains were working...they had been fine.

So, I need to clean up the certs as shown by the Google Transparency Reports website, and then confirm that my virtualhost websites are working, then re-enable the Let's Encrypt stuff again...because I do like it, and definitely need it due to an upcoming CMS rollout...I need to protect the admin logon web page; naturally it will use hashed passwords, but it makes sense to use SSL for such activities.

So, I hope someone can help me clean things up, and then I can try it again...or move to DigitalOceans if Linode is not up to the task of support. I have reinstalled and run "certbot delete" several times, but nothing seems to affect what the Google Transparency website is showing. So, I need to make sure it's clean first, and then I can confirm that my regular HTTP setup is working. Thanks for the help.

Hi @kennedypj

you have used the ACME v1 earlier.

If you don't use that now, ignore the mail. Nothing to do.

CRT-logs are append-only, you can't delete certificates there. Completely unrelevant.

Switch to your new hoster and create a new certificate. That's all.

Welcome to the Let's Encrypt Community, Patrick

We're more than happy to help.

What says sudo certbot certificates? That will tell you which certificates actually exist (and are managed by certbot) on your server. That does not necessarily mean that any of those certificates are actually installed to be served by your websites. For that, your webserver configuration must reference the certificates and private keys. CRT logs indicate certificates that have been generated by the CA. Absolutely nothing that you do will ever change those logs (aside from having more certificates generated by trusted CAs).

But since I uninstalled certbot, and removed /etc/letsencrypt, and removed SSL and rewrite insertions from the virtualhost files...will I be able to view websites as non-secure http? Given that the Google website shows various certs for my domains, I need to remove those listed certs.

Please read what Certificate Transparancy actually is. In fact, it has nothing to do with the current configuration of your website, only with issued certificates in the past.

Two of your websites (the livepng ones) have a HTTP to HTTPS redirect in place, but non-functional HTTPS. Thus, those sites are down.

Well, sudo certbot certificates says

No certs found

I don't have the crt.sh bash file, although it seems odd that it would redirect to the string of the domain name. I do have log files at /var/log/letsencrypt/letsencrypt.log. Various errors are shown, such as DEBUG:certbot.plugins.disco:Misconfigured PluginEntryPoint#apache: Error while running apache2ctl configtest. Action 'configtest' failed.

I uninstalled everything, and then I successfully reinstalled it. But I wasn't watching the log file as I was attempt to regenerate certs.

~Pat

I understand it's issued certificates in the past, which some may be valid, and others expired. Are the certs on my server like private keys, public keys, or both? I would guess like public keys. Who holds the private keys? I suppose it would be somehow related to the DNS infrastructure.

crt.sh is a website: https://crt.sh It's a Certificate Log Aggegrator.

The certificates were on your server, but you said you've deleted them. The certificates are also publically downloadable from a few certificate logs. The public keys are embedded in the certificates.

You and only you did. You've deleted them you said, so those are gone. (Unless you've made a backup yourself.)

I'm failing to see the link with DNS here?

I see...that's cool. So, there's a lot more certs from November 15th.

And since I deleted all the certs locally each time, wouldn't that be a problem? How do we purge the infrastructure certs...the "keys" held elsewhere?

A problem with what exactly?

You mean from the Certificate Logs and from sites like crt.sh? You can't, as @JuergenAuer already pointed out earlier. Why would you even want that?

Which keys? The public keys? I don't see why that's interesting nor a problem?

I still get the feeling you don't quite understand how certificates work, what they really are, what public keys are, what private keys are. I suggest you search some basic information about the web public key infrastructure (PKI), certificates and certificate logs.

Perhaps it's also better to explicitely tell us what you're trying to get done and with "done" I mean: the end result. Not anything about certificate logs, the DNS infrastructure or whatever you might have thought up. No, I mean the actual end result. Because if it's "I want my websites to get running without HTTPS", your Facepress site is good to go, but as I said earlier, your lifepng-sites have a HTTP to HTTPS redirect, which is a problem if HTTPS isn't working. You should remove the redirect if you want the site to work through HTTP.

If I don't have the certs, can I still have users view the given website as plain HTTP?

Please read the three hours old answer:

Remove your redirects if you don't have certificates.

I didn't see this one..."Remove your redirects if you don't have certificates." How do you remove the redirects? Great, thank you.

That's a webserver configuration. See the appropriate Apache configuration file.

If you mean mod_rewrite rules, for the 2 lifepng*.org sites, there are no such rules in effect.

So, I still don't really know why lifepng.org and lifepngcare.org are not working yet. I don't get much support from Linode more than just "redirection" as well -- so, I think I need to move on to DigitalOcean.

They are working.

Clean your browser cache.

@kennedypj

I too see that all three websites are responding well (with the same content) over HTTP. Why did you want to remove HTTPS, if you don't mind my asking?

I didn't have the time to deal with all the mod_rewrite issues. I had a good book on Apache mod_rewrite, but it's still new to me. With Linode, I've struggled to get both the domain and the www.domain working anytime something changes. But thru this process, I did notice variations of how Certbot created the mod_rewrite rules, including support for both www and base domain.

Currently, I'm in Ethiopia with just a hotspot WiFi connection thru an Iphone, so I am still not getting good results pulling down the websites, but I'm happy to hear it's almost working.

I will add LetsEncrypt back after I get an new ISP connection and switch to DigitalOcean.

You generally want to avoid using rewrites as much as you can. I know certbot uses selective rewrites because it doesn't try to understand your full configuration. It is better to use redirects when possible.

Here are your best friends for this: