Revoke and Renew lets encrypt certificate issues with acmev01 to acmev02

Hi,

we have ssl certificate issued for one our domain using acmev01. As support for acmev01 is removed, I tried revoke existing certificate to generate new certificate using acmev02. Reason for revoking the certificate is, we have the present certificate valid till mid of August. We are facing following problems.

My domain is: cloud.cs.ux.uis.no

As per this link https://letsencrypt.org/docs/revoking/
I ran this command to revoke the certificate more than once, because we still have old certificate valid:
certbot revoke --cert-path /etc/letsencrypt/live/cloud.cs.ux.uis.no/fullchain.pem

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
Certificate already revoked
Please see the logfiles in /var/log/letsencrypt for more details.

While trying to renew certificate, still I am getting “certs are not due for renewal yet”.
$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/cloud.cs.ux.uis.no.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/cloud.cs.ux.uis.no/fullchain.pem expires on 2020-08-17 (skipped)
No renewals were attempted.
No hooks were run.


My web server is (include version): $ /usr/sbin/apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2019-10-08T13:31:25

The operating system my web server runs on is (include version): Ubuntu 16.04.6

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
$ certbot --version
certbot 0.31.0

Hi @jaysee

revoking certificates if the private key isn’t stolen is always wrong.

And revoking installed certificates before creating and installing new certificates - the same, now your website is blocked.

What says

certbot certificates

If there is no certificate visible, you may start fresh, not with renew, instead with the complete command.

2 Likes

Hi @JuergenAuer,

Thanks for the info. Seems certificate got invalidated, but while generating the certificate, still I am getting the same error message “Cert not yet due for renewal”, even though I am not trying to renew the certificate.

Commands and output:
$certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: cloud.cs.ux.uis.no
Domains: cloud.cs.ux.uis.no storage.cs.ux.uis.no
Expiry Date: 2020-08-17 05:32:14+00:00 (INVALID: REVOKED)
Certificate Path: /etc/letsencrypt/live/cloud.cs.ux.uis.no/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cloud.cs.ux.uis.no/privkey.pem


$ certbot certonly --standalone -d cloud.cs.ux.uis.no -d storage.cs.ux.uis.no
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal
Keeping the existing certificate


Certificate not yet due for renewal; no action taken.


Please check the documentation

There is something like a “force” parameter. Newer certbots do that - certificate is revoked, renew.

2 Likes

Thanks @JuergenAuer. with force-renewal problem is fixed.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.