How to revoke the let’s encrypt certificate from 34sp.com


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
qinwenhu.com

My hosting provider, if applicable, is:

According to the information present on your website, I chose 34sp.com to host my domain and it generates the let’s encrypt certificate automatically. My question is if I want to revoke my current certificate, how should I configure it? My 34sp.com control panel allows me to remove the certificate. I don’t have a privat key for this certificate. Besides, I don’t have a credential for this certificate.

I just wondering, if anyone can provide some suggestions. Thanks


#2

Hi,

There’s a rare need to revoke the certificate. (If it’s not compromised)
However you could do that from command line (the machine you execute command on should have the domain pointed)

You’ll first need to validate you control the domain by passing the validation for certificate issurance, then execute the certbot revoke command with the certificate’s public key…

Thank you


#4

Hi Steven,

Thank you very much for your response, I am very new for building my owner website. I chose the 34sp.com to host my website. the website is built by WordPress and the certificate is automatically generate by Let’s encrypt. I read the link from your response, but I cannot find the ACME client from my control panel.


#5

You don’t need access to the ACME client that your host used, you can revoke a certificate using a different ACME client (like Certbot) and ACME account.

Are you sure you really need to revoke the certificate? If your domain is pointing to a web host, then it’s entirely reasonable for that web host to automatically issue a certificate for you. Increasingly, all web hosts are doing this. If you do not trust your host with a certificate, then you probably shouldn’t be using the host at all - they can do much worse things than that.


#6

Hi _az,
Yes, I want to revoke my current certificate for proofing our POC. the website is a test domain. I tried your suggestion and ran the command with my domain
certbot certonly --manual --preferred-challenges=dns -d ${YOUR_DOMAIN} -d nonexistent.${YOUR_DOMAIN}
But I got the errors, the authorization procedure failed, because the NXDOMAIN looking up TXT for _acme-challenge,www.test.com

Do you have any ideas why?


#7

Could you share the /var/log/letsencrypt/letsencrypt.log from your last attempt?


#8

Hi _az
I don’t have this folder, I hosted a wordpress template on the 34sp.com. the letencrypt certificate is generated by them


#9

If you ran this command:

then the directory should exist.


#10

Domain: www.qinwenhu.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.qinwenhu.com

Domain: nonexistent.www.qinwenhu.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nonexistent.www.qinwenhu.com
2018-08-02 21:14:10,124:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.qinwenhu.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.qinwenhu.com, nonexistent.www.qinwenhu.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nonexistent.www.qinwenhu.com

2018-08-02 21:14:10,124:DEBUG:certbot.error_handler:Calling registered functions
2018-08-02 21:14:10,124:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-02 21:14:10,125:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
sys.exit(main())
File “/usr/local/lib/python2.7/dist-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/local/lib/python2.7/dist-packages/certbot/main.py”, line 1254, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/local/lib/python2.7/dist-packages/certbot/main.py”, line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/local/lib/python2.7/dist-packages/certbot/client.py”, line 391, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/local/lib/python2.7/dist-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/local/lib/python2.7/dist-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.qinwenhu.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.qinwenhu.com, nonexistent.www.qinwenhu.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nonexistent.www.qinwenhu.com


#11

I have added the new TXT record in my DNS configuration, but it may take time to update the new record,


#12

The let’s encrypt validation server directly query your name servers, so it might not take that long to propergate…

(Normally less than 3 minutes from adding the records)


#13

Hi stevenzhu,
Yes, I have modified my DNS record, and I can see the new record from my control panel,


but when I try to use the 'dig -t txt _acme-challenge.nonexistent.www.qinwenhu.com", I cannot see any answer


#14

In almost all DNS control panels, you just enter the host name, not the FQDN, for the record. For example, if I was managing DNS for example.com, I would add the TXT record at _acme-challenge. If I added it as _acme-challenge.example.com, the record would actually apply to _acme-challenge.example.com.example.com.

So, in your instance, you should remove the qinwenhu.com portion of that record name, leaving just _acme-challenge.nonexistent.www and _acme-challenge.www.


#15

If you don’t want to issue a certificate, you shouldn’t create the _acme-challenge.nonexistent.www record, though. If you want to trick your client into validating the other names but not issuing a certificate, you have to add a name that will intentionally fail to validate.


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.