How to revoke certificate? (I have lost private key)


#1

I lost access to my VPS. How I can revoke my certificate?


#2

I think you need either your account’s private key or your domain private key. Have you lost both ? no backups ?


#3

How exactly did you lose access?

Your options differ greatly based on what happened.

If the data is all gone, you’re going to need a different CA for at least 3 months.

If someone jacked your passwords, contact the hosting provider.


#4

“If the data is all gone, you’re going to need a different CA for at least 3 months.”

That I was looking for! Thanks.


#5

Hello,

First post. I’m in the same boat. Reformatted server…no keys. Then I went through the process again and was issued a new challenge. Then again and received a new challenge for the TXT …so does this mean I need to wait 90 x 3 days before the dust settles?


#6

No.

What do you want to do? What have you done? Are you receiving an error message?

If you want to issue a new certificate, Let’s Encrypt (now) has no problem issuing multiple certificates using different ACME accounts. You can pretend your old server never existed and just create a new one. Right now.

If you’ve reached a rate limit, you may have to wait up to 1 week, but some of them are shorter, or can be worked around.

You said you “went through the process again”. Do you mean that you’ve completed it and have a new certificate?

Since you’re using a new ACME account, the challenge values will certainly be different. That’s not a problem. (Even if you had saved your account files, the old authorizations may have expired anyway.)

Do you need to revoke any old certificates, because you no longer control the names, or the private keys were compromised? (Revealed to someone unauthorized, not just permanently deleted.) If so, it’s possible to do that without the old private keys or old account.


#7

I want to get a new reissue.

I used certbot successfully 3 times. I received new
acme challenges. Put them in TXT record. Still not secure. Keys were not stolen. I was sloppy. Should I go
through the process again? and get the Congratulation message…telling me to save the files in /etc/letsencrypt.
thank you


#8

looking forward to more and more replies !!


#9

Can you explain what’s wrong? Are you receiving an error message? If so, from what? What is it?

It sounds like you have a new certificate – or three, which is approaching the duplicate certificate rate limit – but your web server or other software may or may not be configured to use it.

If Certbot said “congratulations”, that should mean it already saved the files, and you don’t have to do anything else. (Except, possibly, configure your other software.)

If you already have one or more certificates, you shouldn’t issue unnecessary duplicates.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#10

Hi,

artgoodman.com is the domain.

Looks like I did it 4x from the crt.sh search link you sent.
I did save the /letsencrypt folder from 12/10/2018 9:30am PST. The server has been deleted. I parked artgoodman.com and am now using artgoodman.net domain. Thought maybe I could point…but that doen’t work. Suggestions?


#11

What do you mean by “point” and “doesn’t work”?


#12

forward artgoodman.com to artgoodman.net. with artgoodman.com the warning window comes up…thought I would get new certificate with artgoodman.net then forward .com to it. if i can get .com back with the encrypt files I have…that’s what I’d like


#13

If you want https://artgoodman.com/ to work – even if it’s only to send an HTTP redirect – you’ll need a certificate for artgoodman.com.

It looks like you issued two certificates, each for the names artgoodman.com and *.artgoodman.com, in recent weeks. (crt.sh lists them twice due to Certificate Transparency stuff.)

If you still have the keys, great.

If you can just put the /etc/letsencrypt/ directory back in place, perfect. (If you were using a different ACME client, restoring its configuration directory would probably also be perfect.)

It might be easier to just issue a new certificate, especially if your new server already has other certificates set up. In particular, issuing a new certificate tests that all of the configuration details are correct and that renewing it will (probably) work in the future.


#14

ok, I’ll set up a new certificate. I assume this can be done even when the domain is parked or being transferred? thank you


#15

It depends. HTTP validation can’t work when you don’t have A or AAAA records. (CNAME records involved or not.)

DNS validation will work if you can set the challenge TXT records at whatever the current DNS service is.


#16

ok, I understand. Thank you…you’ve been a great help.

Goodbye :slight_smile: