Hi;
I am trying to renew their certificate before revoking the old one. However, I always get a message that this certificate is not for due renewal yet.
If I revoke, then renew, I will cause and outage. Not sure what to do here
Kindly
Wasfi
Hello @wbounni
Your question is better for the Help section which I moved it to. Had you posted there first you would have been shown this form. Please answer as much as you can. Mostly knowing what ACME Client you are using is very helpful for your question. But, so are some of the other questions
Also, please explain why you want to revoke the old certificate. This is rarely needed (see link here)
==========================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
6 Likes
You should never revoke the old cert, unless you suspect its private key has been compromised.
That normally means that the cert in question is good for more than another 30 days. There's no reason to renew it that early. Wait until it's closer to expiration before you try to renew it.
5 Likes
It's usually possible to force a renewal, depending on the ACME client you're using. When using Certbot however, it would re-symlink the symbolic links in the /live/ directory to the newly issued certificate. So if you require to renew the old certificate, you'd need to specify the path to the old certificate in the /archive/ directory "manually", obviously making sure you're revoking the correct certificate from that directory, not the newly issued one..
But as the rest I'm curious why you need to revoke the certificate in the first place. If the private key has been compromised, that's a very good reason (mandatory even I'd say) to revoke the cert. Other reasons to revoke the cert are usually not that strong.
5 Likes
Thank you for your responses. The reason is a compromised private key. Luckily this is only a test environment.
In a production environment similar situation, I want to be able to renew the certificate, then revoke the old one, which I don't know how to do using certbot.
If there is a force renew command, would you please share it.
1 Like
--force-renewal
Recreating and Updating Certificates:
https://eff-certbot.readthedocs.io/en/stable/using.html#re-creating-and-updating-existing-certificates
Revocation:
https://eff-certbot.readthedocs.io/en/stable/using.html#revoking-certificates
Command-Line Options:
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options
6 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.