Invalidate cert completely and detach it from a domain name

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: misc-dev.quickytools.com

I ran this command:

  • certbot certonly --manual --preferred-challenges=dns …
  • certbot revoke --cert-path …
  • certbot delete -d …

It produced this output:
All 3 commands execute as expected

My web server is (include version):
Kubernetes + nginx ingress + cert-manager

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
GKE

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.3.0

How can I invalidate this cert completely and start from scratch for my site? For example if I look this cert up in an SSL checker it want to see it say there is no active cert. Instead I’m seeing " None of the common names in the certificate match the name that was entered …"

1 Like

You have revoked and deleted a perfectly good/working cert.
Please DO NOT REVOKE CERTS when all you want is a deletion.
They are two very different things and revoking consumes resources unnecessarily.

So you delete, burn, and bury the cert and still ask:

Have I missed something? You've incinerated the cert !
What more do you think can be done to it?

I don't know how "SSL checker" works, so I can't speak to that.

Where and How do you get this error message?

1 Like

I will not revoke future certs when only delete is necessary. Noted.

The SSL checker I’m using is digicert’s SSL Certificate Checker. If you look up the domain on there it has the warning “Certificate does not match name misc-dev.quickytools.com”. This gives a similar message to running the command wget --save-headers -O- https://misc-dev.quickytools.com

ERROR: cannot verify misc-dev.quickytools.com's certificate, issued by ‘CN=NGINXIngressController’:
  Self-signed certificate encountered.
    ERROR: certificate common name ‘NGINXIngressController’ doesn't match requested host name ‘misc-dev.quickytools.com’.
To connect to misc-dev.quickytools.com insecurely, use `--no-check-certificate'.
1 Like

You are basically comparing apples to oranges.
The cert you are having “trouble” with is not the “trouble” you are seeing when connecting to that site name.
See: https://www.ssllabs.com/ssltest/analyze.html?d=misc-dev.quickytools.com

The site is serving another self-signed cert (named “NGINXIngressController”).
That has nothing to do with the LE cert (that you have deleted/revoked).

You need to review the web server settings to find out who/what/when/where/why that cert is being served.

The “web server” appears to be nginx:

curl -Iki https://misc-dev.quickytools.com/
HTTP/1.1 404 Not Found
Server: nginx/1.17.10
Date: Wed, 06 May 2020 19:17:05 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive

Hmmm ok. I’ll try and see if I can figure out why this is happening.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.