Keys remain after revoking a certificate

bsutton · February 11, 2021, 10:58pm

I'm testing the revoke command with the --delete-after-revoke option.

After running the revoke the live and renewals directory are both empty as expected.

My question relates to the keys directory.

After running the revoke I see that that I still have a key file:

/etc/letsencrypt/config/keys/0000_key-certbot.pem

I would have expected the revoke command to remove this file.

Am I doing something wrong or should this file exist after running revoke?

certbot --version
certbot 1.7.0

Ubuntu 20.10

Commands:

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /tmp/cloudflare/settings.ini -m support@noojeeit.com.au -d auditor.noojee.com.au --agree-tos --manual-public-ip-logging-ok --non-interactive --work-dir=/tmp/etc/letsencrypt/work --config-dir=/tmp/etc/letsencrypt/config --logs-dir=/tmp/etc/letsencrypt/logs --staging

certbot revoke --cert-path /tmp/etc/letsencrypt/config/live/auditor.noojee.com.au/cert.pem --non-interactive -m null --agree-tos --work-dir=/tmp/etc/letsencrypt/work --config-dir=/tmp/etc/letsencrypt/config --logs-dir=/tmp/etc/letsencrypt/logs --delete-after-revoke --staging

_az · February 11, 2021, 11:11pm

Yes, --delete-after-revoke is only intended to delete the certificate lineage from /etc/letsencrypt/{archive,live,renewal}/ as a convenience, since it has no practical use after revocation, unless you want to go on to renew it.

The files written to csr/ and keys/ are not tracked by Certbot. Those directories are a sort of forensic archive and there is a plan/idea to deprecate them entirely: Deprecate /etc/letsencrypt/{keys,csr} · Issue #4634 · certbot/certbot · GitHub

griffin · February 11, 2021, 11:30pm

@_az

It really doesn't help that the certbot user guide has contradictory information:

If your account key has been compromised or you otherwise need to revoke a certificate, use the revoke command to do so. Note that the revoke command takes the certificate path (ending in cert.pem), not a certificate name or domain.

...

revoke Revoke a certificate (supply --cert-name or --cert-path)

...

revoke

Revoke a certificate specified with --cert-path or --cert-name

Additionally, why is revoke a "command" and delete a "subcommand"?

@bsutton

You might want to heed this:

Once a certificate is revoked (or for other certificate management tasks), all of a certificate’s relevant files can be removed from the system with the delete subcommand:

certbot delete --cert-name auditor.noojee.com.au

and this:

Additionally...

There's no need to continually use account-registration parameters:

-m support@noojeeit.com.au --agree-tos

This is obsolete:

--manual-public-ip-logging-ok

bsutton · February 11, 2021, 11:31pm

So it's safe to delete csr/ and keys/ at any time?

_az · February 11, 2021, 11:33pm

Only since 1.10.0, OP is still on 1.7.0.

It is safe to delete the contents of these directories, yes.

I wouldn't delete the directory itself, something bad will probably happen.

I'll rewrite it, thanks.

griffin · February 11, 2021, 11:36pm

Thanks, @_az. I might have to take Brad up on that overhaul of the user guide once I finally have adequate time.

system · March 13, 2021, 11:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.