Dismiss a domain and relative certificate procedure (certbot)

danjde · December 4, 2017, 8:28am

Hi Friends,
I’m wondering how correctly remove a single domain Letsencrypt certificate.
I’ve read this tutorial where describe this procedure:

certbot -delete [sitename]
rm -rf /etc/certbot/archive/[sitename]/ rm -rf /etc/certbot/live/[sitename]/ rm -rf /etc/certbot/renewal/[sitename].conf
certbot revoke -d [sitename]

is it correct this procedure?

Many many thanks!

Davide

Osiris · December 4, 2017, 11:23am

No.

As you can read from that "tutorial", it was written in 2016. And it says the delete feature is still "an issue" (i.e., a feature wanted, but not implemented yet).

In the mean time, it has been more than a year since that tutorial was written. And the delete feature has been implemented, but not the same way as the tutorial suggests.

You can read about deleting certificates in the certbot userguide in the part about revoking certificates. (Which is odd by the way, because revoking is NOT necessary if the private key hasn't been leaked.)

I would suggest using certbot certificates to identify the correct cert-name to delete and after you're sure you have identified the correct certificate, use the commands in the link above to delete it. And again, if the certificates private key hasn't been leaked, there's NO reason to revoke the certificate.

danjde · December 4, 2017, 11:58am

Ah, thanks @Osiris! Now I'm clearer.

In relation to your hint:

is not clear for me how use certbot certificates,
because running

certbot certificates

obtain:

certbot: error: unrecognized arguments: certificates

I'm using certbot 0.8.1-2

Many thanks again!

Davide

Osiris · December 4, 2017, 11:59am

Holy ***...

You realise that version is more than a year old?!?

danjde · December 4, 2017, 10:55pm

Uh, oh…
Well, I’ve upgraded and now certbot certificates show correctly all certificates

Only one question again: on /etc/crontab could I comment the lines

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

If from crontab -e I already have this configuration:

0 */12 * * * /usr/bin/certbot renew --renew-hook "/usr/sbin/service apache2 reload" --quiet

Thanks for the patience

Osiris · December 4, 2017, 10:56pm

You shouldn’t edit /etc/crontab manually, always use crontab -e.

Why both methods differ? I don’t know

Did you run crontab -e as root?

mnordhoff · December 4, 2017, 11:27pm

If you have systemd, the cron job doesn’t run and a systemd timer is used instead.

danjde · December 5, 2017, 2:16pm

Sure! And not from sudo!

Ah, so I can comment totally /etc/crontab, is it true?

Many thanks to all!

system · January 4, 2018, 2:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.