Revoke cert and it tries and renews

gmgj · September 2, 2019, 1:32pm

My server: Ubuntu 18.04 LTS Apache/2.4.29 (Ubuntu)
Rackspace: shell access

Certbot 3.1

Time 1
I revoke a certificate like this:
certbot revoke -n --cert-path /etc/letsencrypt/live/drjacobsadighonline.com/cert.pem --reason supersededI

I get this output
Array
(
[0] =>
[1] => - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[2] => Deleted all files relating to certificate drjacobsadighonline.com.
[3] => - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[4] =>
[5] => - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[6] => Congratulations! You have successfully revoked the certificate that was located
[7] => at /etc/letsencrypt/live/drjacobsadighonline.com/cert.pem
[8] =>
[9] => - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
)

Time 2
The certbot renew job runs and gives me this kind of warning

No certificate found with name drjacobsadighonline.com (expected /etc/letsencrypt/renewal/drjacobsadighonline.com.conf).

So, what do I have to do to remove so that certbot does not need to process revoked certificates?

rg305 · September 2, 2019, 1:57pm

Please show what certs are still “in use”:
certbot certificates

mnordhoff · September 2, 2019, 4:04pm

What command does your cron job run?

Can you post “sudo ls -l /etc/letsencrypt/{archive,live,renewal}”?

schoen · September 2, 2019, 5:50pm

The error in question makes me think that this is a manually-created cron job that specifically references the certificate name in the cron task. If not, I'm very curious about what could have caused this!

gmgj · September 3, 2019, 3:32am

I maintain a site that uses name based virtual hosting. There are around 500 certificates / domains. In the last 60 days there have been maybe 40 adds and 40 revokes. The file for certbot certificates is large. If you think that will help, I can provide it. I showed an example of a recurring event

gmgj · September 3, 2019, 3:35am

I did not create my own version. I maintain a site that uses name based virtual hosting. There are around 500 certificates / domains. In the last 60 days there have been maybe 40 adds and 40 revokes. The file for certbot certificates is large. If you think that will help, I can provide it. I showed an example of a recurring event. I believe this is the job that is run. I runs at various times.
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven’t been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

gmgj · September 3, 2019, 3:36am

Can you please see my replies to the other responses.

rg305 · September 3, 2019, 3:41am

I think there may be some confusion between revoke and delete.
[Or I don’t understand why you are revoking certificates instead of just deleting them]

Please show:
certbot certificates | grep drjacobsadighonline.com

gmgj · September 3, 2019, 3:58am

I am confused. When I revoked a cert I see Deleted all files relating to certificate drjacobsadighonline.com. What I want to do is: prevent any further use of this certificate, delete all the associated files and cleanup anything remaining, as this certificate / domain is no longer valid. How do I do that?

rg305 · September 3, 2019, 4:35am

You should only REVOKE a certificate when you are certain that it has been compromised (or are at least doubtful of the security of the private key file).

You should only have to DELETE a certificate when you are no longer in need of it.

JuergenAuer · September 3, 2019, 5:50am

Hi @gmgj

delete the certificate via certbot delete, that's enough.

mnordhoff · September 3, 2019, 9:50am

Well... Is drjacobsadighonline.com still listed?

Can you post "sudo ls -l /etc/letsencrypt/archive/drjacobsadighonline.com /etc/letsencrypt/live/drjacobsadighonline.com /etc/letsencrypt/renewal/drjacobsadighonline.com.conf"?

I'm confused too. If certbot revoke really did delete all of the files, the files are deleted and there aren't any other steps to take.

The error message in the first post should only have happened if you then ran something like "sudo certbot renew --cert-name already-deleted-certificate.com". In that case, the question would be why you're doing that, and the only other step would be to stop running it.

Or when you no longer control the domain (like if a hosting customer has moved to another company).

gmgj · September 3, 2019, 2:08pm

Thank you. This situation is like a subscription service. When a customer drops the subscription, the domain name is dropped by my client. What I wanted to prevent is someone claiming that domain name and doing something with that letsencrypt certificate. That scenario, I believe is not likely;however, I was erring on the side of an overabundance of caution. The operative part is that we do not control the domain anymore, so do you agree that the right procedure is to revoke?

mnordhoff · September 3, 2019, 2:36pm

Well, my interpretation is that section 3.2 of the Subscriber Agreement requires it.

Aside from that, I don’t have extremely strong feelings about it – when people move services, usually the old company isn’t massively evil or out to get them – but revoking is tidier and more responsible, and it’s good when people want to do right by former customers.

gmgj · September 3, 2019, 2:50pm

Thanks Again. Until further notice, I will continue to revoke the certificates.

gmgj · September 3, 2019, 3:01pm

I see 2 issues have come up. 1) is do either a revoke or a delete? Unless directed otherwise, I will be revoking them. See the posts in the thread about this. 2) I see the message in the email I get from the cron renewal job. I do not believe it shows up in the logs. I am going to wait until I have another example to show what is happening now. But, the tentative description of the issue is that revoke may not clean up all the things that it should. I need to check all the entries under ls -l /etc/letsencrypt/ for a domain after I revoke the cert. It may turn out that when the renew process sees a

No certificate found with name drjacobsadighonline.com (expected /etc/letsencrypt/renewal/drjacobsadighonline.com.conf).

an error like this, it fixes the problem and continues. It writes the entry in the email, and not the log.

schoen · September 5, 2019, 5:24am

It would be really helpful to see some of that ls output, because perhaps there’s a bug in Certbot (which ought to delete all the relevant files if it claims that it’s deleting them).

gmgj · September 6, 2019, 5:50pm

Will do.

I need to set it up to run as part the control routines.

sudo ls -l
/etc/letsencrypt/archive/XXXXXXXX.com
/etc/letsencrypt/live/XXXXXXXX.com
/etc/letsencrypt/renewal/XXXXXXXX

When I revoke it do this

certbot revoke -n --cert-path 'lets-live etc XXXXXXX.com '–reason superseded
certbot delete -n --cert-name XXXXXXX.com
I also clean up the apache .conf files

After my job does it stuff, I have to do the ls shown above for a domain that I am revoking.
and
-Mail from the letsencrypt renewal run
-Corresponding letsencrypt logs

The 'ls -l ’ need to be run before the certbot renew run starts.

I do not know how the renew is controlled,
If it is kicked of by reading the list of files under renewal, that correspond to domains and certs, and the msg I get in the cron mail:

No certificate found with name XXXXXXXX…com (expected /etc/letsencrypt/renewal/XXXXXXXX.com.conf).

I suspect that the renew job is tidying and finishing the rest of the cleanup.
Because as far as I can tell, I do not see anymore messages about

No certificate found with name XXXXXXXX…com (expected /etc/letsencrypt/renewal/XXXXXXXX.com.conf).

schoen · September 10, 2019, 10:24pm

Can you please show us your cron job? Maybe it specifies a --cert-name for some reason?

gmgj · September 11, 2019, 2:13pm

show the cron job See the September 3 post above , that begins with I did not create my own version.
I have a cron job that does maintenance. It requests new certs and revokes old.
The renewal job runs on a timer, at different times. I was hoping I could catch the state of the files after a revoke and before the renewal ran. It did not work, so I added a step after it does the revokes. Instead of linux ls, I am using php glob. see snippet below. As soon as I see a revoke, I will include the output here. I will help in any way I can. If you want to private message me that’s fine

// for letsencrpt revoke not deleteing all files
$letslog = ‘lets’. $ourgjDNlc . ‘.txt’;
$lscerpath = lets . '/*/’ . $ourgjDNlc . ‘*’;
$gjout = glob($lscerpath);
//print_r ($gjout);
file_put_contents($letslog, implode("\n", $gjout));