Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: *.internal.sektorcert.dk
I ran this command:
new ran a command, i am using Proxy manager and the DNS challenge
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I need to revoke this it was a mistake, can i use a command to to revoke and delete this cert
this is interferring wiht other entries
You need to give a lot more details about what you're trying to do. Revoking isn't "deleting" in any way, it's a way to add information to say that a certificate shouldn't be trusted anymore because its key was compromised or its controller no longer controls the domain. It would be a very rare kind of "mistake" that would lead to revoking being helpful.
The point of the template that you started to fill out is so that you can show exactly what command you ran (if it's through some sort of GUI rather than a command line, a screenshot can be helpful), and can show any output that you're looking for help understanding what it means (again in text if that's what it is, or maybe a screenshot if that makes more sense).
Lets encrypt certs are free. You do NOT need to revoke certs that you did a mistake on. They are free, so just don't use it.
Its only at paid CAs you may need to revoke certs that you did on mistake so you don't get billed for them.
Revoking a cert will also not reclaim them when it comes to rate limits, so if you hit a rate limit due to a wrongly issued cert, you just have to wait until rate limit refills again. Note that rate limits refill continually, so you never run into the issue that you must wait until a specific "rollover time".
for new certificates per IP/domain, you just need to wait about 3,5 hours.
The only ratelimit you might run into, is new certificates per exact identifies, which refill 1 per about 40 hours which is about 2 days.
So you should never need to worry, if you make too many mistakes, just wait 2 days and you will be all set again.
Revoking a certificate doesn’t exactly work like you expect.
If you revoke it, it will go into the revocation lists. But browser may or may not pick it up. Each browser implements revocation differently, and some will never pick up your revoked certificate unless its for a big domain that drives a lot of traffic.
This is one of the major reasons why certificate lifetimes are being forced to be shorter. We can’t really effectively revoke a cert, so we’re just making everything shorter.
Unless your private keys have been stolen, you are probably better off just getting a new certificate and forgetting about it.
How is this a thing, its should be one line of code including a token and then the cert should be revoke
Well, yes. That is true.
But the list of every certificate that has been revoked is HUGE and changes often. Browser cannot hold that full list, so they don't even try. They generate subsets of those lists for what they think are the most important.
So, in practice, even if your certificate is revoked, some of the browsers will continue to trust it. You can see this in practice at https://revoked.badssl.com/
Depending on what day you check it, either Chrome, Safari, or Firefox may allow it to load fine. (Right now my Firefox loads it without complaint).