I’m just going to drop an example here so you can see if it matches what you are doing. I still don’t understand how you get that output from Certbot.
I have a Certbot installation that is using a separate/fresh Let’s Encrypt account/key from the certificate I’m trying to revoke.
I’ve downloaded the certificate I want to revoke to revokeme.pem
. It’s just a sing;e wildcard like yours: *.revokeme.foo.monkas.xyz
.
When I try to revoke the certificate, as expected, it doesn’t work because I lack the authorization on that Let’s Encrypt account:
root@b3f488764f77:/# certbot revoke --cert-path revokeme.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
The client lacks sufficient authorization :: The key ID specified in the revocation request does not hold valid authorizations for all names in the certificate to be revoked
Please see the logfiles in /var/log/letsencrypt for more details.
OK.
So now I use the non-existent domain trick to gain the authorization to the domain I want to revoke:
root@b3f488764f77:/# certbot certonly -d *.revokeme.foo.monkas.xyz -d nonexistent.example.com \-a manual --manual-public-ip-logging-ok
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for revokeme.foo.monkas.xyz
http-01 challenge for nonexistent.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.revokeme.foo.monkas.xyz with the following value:
GBBIiAQVy0Bci-Dx4eJioa6609MW441gYe_eAnXgnUA
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
GodQX_VOq1QyBUTNZO-Ffa_J940QzPxJGyi-caEELvA._EODt3LLjb8wPRj9UVIk-ZSsYQIaoPfdwLfRVGpB-cI
And make it available on your web server at this URL:
http://nonexistent.example.com/.well-known/acme-challenge/GodQX_VOq1QyBUTNZO-Ffa_J940QzPxJGyi-caEELvA
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nonexistent.example.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nonexistent.example.com
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: nonexistent.example.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
nonexistent.example.com
In the above, I only actually add the DNS record for the domain I want to revoke, I just press enter for the non-existent domain, without deploying the challenge response.
As a result of the above, this Let’s Encrypt account is now authorized to revoke the revokeme.pem
certificate:
root@b3f488764f77:/# certbot revoke --cert-path revokeme.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you like to delete the cert(s) you just revoked, along with all earlier
and later versions of the cert?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es (recommended)/(N)o: Y
No match found for cert-path /revokeme.pem!
Nevermind that wonky looking error at the end of the output, it’s revoked. We can confirm by repeating the command:
root@b3f488764f77:/# certbot revoke --cert-path revokeme.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
Certificate already revoked
Please see the logfiles in /var/log/letsencrypt for more details.
Can you relate any of that to what you’ve been trying to do?