Problem with stale keys

mahmoodn · September 13, 2024, 8:12am

I have used the following commands to revoke and remove a previously created SSL certificate:

# acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.8
# acme.sh --revoke -d MYDOMAIN
[Fri Sep 13 07:56:34 UTC 2024] The domain 'MYDOMAIN' seems to already have an ECC cert, let's use it.
[Fri Sep 13 07:56:35 UTC 2024] Trying account key first.
[Fri Sep 13 07:56:37 UTC 2024] Successfully revoked.
# acme.sh --remove -d MYDOMAIN
[Fri Sep 13 07:56:45 UTC 2024] The domain 'MYDOMAIN' seems to already have an ECC cert, let's use it.
[Fri Sep 13 07:56:45 UTC 2024] MYDOMAIN has been removed. The key and cert files are in /root/.acme.sh/MYDOMAIN_ecc
[Fri Sep 13 07:56:45 UTC 2024] You can remove them by yourself.

Then I deleted cert.crt and private.keys myself:

# ls
cert.crt  private.key
# rm -rf cert.crt private.key
#

Now that I want to use another script to acquire Cloudflare certificate, I hit the following error:

[Fri Sep 13 08:03:50 UTC 2024] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
[Fri Sep 13 08:03:51 UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Sep 13 08:03:51 UTC 2024] Creating domain key
[Fri Sep 13 08:03:51 UTC 2024] Domain key exists, do you want to overwrite it?
[Fri Sep 13 08:03:51 UTC 2024] If so, add '--force' and try again.
[Fri Sep 13 08:03:51 UTC 2024] Error creating domain key.
[Fri Sep 13 08:03:51 UTC 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log
[ERR] Certificate issuance failed, script exiting...

I don't know the exact command in order to add --force option. Rather than that I would like to remove the keys (didn't I delete them?) and use the original script I am using.
Any idea about that?

webprofusion · September 13, 2024, 8:17am

It's best practice to only revoke certificates if your private key has been compromised and there is generally no benefit to revoking your cert routinely.

How are you calling acme.sh? It's when you run acme.sh that you would perhaps add the --force option.

webprofusion · September 13, 2024, 8:24am

If you just want to completely remove the acme.sh config for a particular certificate you could delete the corresponding directory under your /.acme.sh/ e.g. yourdomain.com_ecc path but beware deleting any certificate files your web server may be currently using.

Why did you want to remove this certificate and create it again, was there something incorrect that you wanted to fix?

mahmoodn · September 13, 2024, 8:58am

I used letsencrypt and now want to use Cloudflare. Sounds like some steps are different as I have to provide global API token which I didn't do that with letsencrypt.

mahmoodn · September 13, 2024, 9:13am

Thank you it is now fixed.

Osiris · September 13, 2024, 9:27am

I'm not sure what you mean by this. As far as I know (and can tell from Certificate authorities | Cloudflare SSL/TLS docs), Cloudflare does not operate their own publicly trusted CA?

system · October 13, 2024, 9:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Lost private key, need to revoke Let’s Encrypt certificate Help	10	827	November 27, 2023
How can I revoke acme and reapply Help	11	449	March 21, 2024
Acme.sh revoke problem Server	3	2733	March 6, 2019
Pfsense / Acme Error Help	38	1310	May 6, 2024
I use acme-client and I stupidly deleted my SSL cert? Help	2	726	October 14, 2018

Problem with stale keys

Related topics