Dismiss a domain and relative certificate procedure (certbot)

Hi Friends,
I’m wondering how correctly remove a single domain Letsencrypt certificate.
I’ve read this tutorial where describe this procedure:

  1. certbot -delete [sitename]

  2. rm -rf /etc/certbot/archive/[sitename]/ rm -rf /etc/certbot/live/[sitename]/ rm -rf /etc/certbot/renewal/[sitename].conf

  3. certbot revoke -d [sitename]

is it correct this procedure?

Many many thanks!

Davide

No.

As you can read from that “tutorial”, it was written in 2016. And it says the delete feature is still “an issue” (i.e., a feature wanted, but not implemented yet).

In the mean time, it has been more than a year since that tutorial was written. And the delete feature has been implemented, but not the same way as the tutorial suggests.

You can read about deleting certificates in the certbot userguide in the part about revoking certificates. (Which is odd by the way, because revoking is NOT necessary if the private key hasn’t been leaked.)

I would suggest using certbot certificates to identify the correct cert-name to delete and after you’re sure you have identified the correct certificate, use the commands in the link above to delete it. And again, if the certificates private key hasn’t been leaked, there’s NO reason to revoke the certificate.

Ah, thanks @Osiris! Now I'm clearer.

In relation to your hint:

is not clear for me how use certbot certificates,
because running

certbot certificates

obtain:

certbot: error: unrecognized arguments: certificates

I'm using certbot 0.8.1-2

Many thanks again!

Davide

Holy ***…

You realise that version is more than a year old?!?

Uh, oh…
Well, I’ve upgraded and now certbot certificates show correctly all certificates :roll_eyes:

Only one question again: on /etc/crontab could I comment the lines

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

If from crontab -e I already have this configuration:

0 */12 * * * /usr/bin/certbot renew --renew-hook "/usr/sbin/service apache2 reload" --quiet

Thanks for the patience :slight_smile:

You shouldn’t edit /etc/crontab manually, always use crontab -e.

Why both methods differ? I don’t know :stuck_out_tongue:

Did you run crontab -e as root?

If you have systemd, the cron job doesn’t run and a systemd timer is used instead.

Sure! And not from sudo!

Ah, so I can comment totally /etc/crontab, is it true?

Many thanks to all! :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.