Multiple certificate revocations for domains

Hi, would it be possible to obtain mass revocations of all SSL certificates issued under my domains?
My server recently got compromised. (I wiped it off, but didn't think of taking out /etc/letsencrypt beforehand so I can't revoke them, and I don't see all of them on to do the "revocation from another account" method)

My domains are and

My web server is Nginx 1.19

The operating system my web server runs on is Debian 10 Buster

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

Yes, here are instructions on how to do that:

This is the best and easiest way to prove you are in control of the domain(s), which is necessary for revocation.

but I have more than a hundred of them to revoke
and yes, I obviously took a look at that page
I have to revoke approximately 90 of them on
and another 90 on

Hmm, I think you could achieve these revocations pretty quickly by retrieving copies of the certificates from Certificate Transparency logs (for example, using and then feeding them to certbot revoke with a for loop in bash or similar. Not very elegant, but it will get the job done.

for certfile in *.crt; do
  certbot revoke --reason keycompromise --delete-after-revoke --cert-path $certfile

but these are often unique subdomains though
I really have to validate each of them?
it's weird that I can't revoke a certificate with just a single domain that I authorized
I can only imagine in cases where revocation is impossible because someone issued a fraudulent certificate with both the domain name they want to target and their own

You can revoke in such cases, but you'll still need to make an API call for each certificate.

that I understand but I'm talking about certificates for which I only control some SANs

Ultimately, if you don't have the original account key, you don't have the cert private key, and you can't validate ownership of the names in the cert, you won't be able to revoke the cert via ACME. The protocol just doesn't support any other methods of revocation. Human intervention is required and I don't know if Let's Encrypt has any standard procedures to deal with a situation like that.

With a non-ACME CA, presumably there would be some sort of web or email based account verification procedure that effectively takes the place of the ACME account key. But it's still likely going to be a human assisted process.

1 Like

If I recall correctly, a CA has its own responsibility with these situations. If a CA "learns" that a certain certificates private key has been compromised, as far as I know most if not all root certificate stores require the CA to take action.

I don't know if LE has something written in their CPS which would exonorate them from these kinds of clausules from root certificate stores?

That said, the CA would need some kind of proof of course.. Otherwise everybody could claim the private key for the certificate of $high_profile_site has been compromised.

1 Like

That's exactly right. We ask subscribers to do self-service revocation if at all possible; we're a small team, and our mission depends on automation. If there's no alternative, then we can manually validate and revoke, as required.

Well it's not very practical to validate each SAN in a certificate to revoke it

Why not? You had to validate each SAN in order to get the cert in the first place. What's the difference?

having to manually validate each SAN with DNS especially with dozens of them is highly unpractical

anyway I think I'll just let them expire
too bad for me I guess
I enabled DNSSEC as a temporary stopgap

Could you perhaps help @h4ckd0wn out? As I understand it now, he/she is having trouble revoking the certs. Or isn't practically able to.

It sounds like HTTP-01 validation won't work in your setup - is that right? Then if DNS-01 is your best option, many ACME clients (including Certbot) are able to use your DNS provider's API to manage validation records. Could that work for you?

There will be a little setup involved: getting your client set up to use the API, and writing a loop to validate control of all the hostnames, then revoke. We can help you with all of this here.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.