Revoke certificate

Hi everyone. For years I had a duckdns domain combined with Home Assistant generated and always updated with the DuckDns addon. I recently created a ThingsBoard server and I had the terrible idea of ​​using the same domain on port 10443 instead of 443 and I created a certificate with Caddy which worked perfectly.

yesterday the Home Assistant certificate expired and this is not renewed by the addon because upon checking it realizes that the certificate for that domain is valid until March. But this is actually what ThingsBoard does.

So I created a new domain for ThingsBoard with a new certificate but I can't revoke the old one because I can't find the same one as its private key. how could I solve it?

the domain is:
green-home.duckdns.org

Why do you want to revoke the cert in the first place?

Hello @abbio90,

If the private key is not compromised then there isn't really a reason to revoke the certificate.

because I want to use this certificate on HOME ASSISTANT.

A new domain with related certificate has been created on ThingsBoard.

Now on Home Assistant it gives me an expired certificate because it was combined with ThingsBoard on that domain

Yes, sure, but how does revoking fit into those wishes?

Please note that I have absolutely no clue what this "ThingsBoard" is.. (And probably most of my fellow volunteers also don't have a clue..)

things board is an mqtt broker that runs on docker compose.

The certificates were self-created with Caddy. So after I replaced the domain on Caddy I can no longer find the old certificates. this doesn't matter.

We can forget about ThingsBoard if we can get the certificate working on home assistant again

Here shows the certificate presently being served https://decoder.link/sslchecker/green-home.duckdns.org/443 which is this certificate crt.sh | 14677958751 and it is expired.

Here is a list of issued certificates crt.sh | green-home.duckdns.org, the latest being 2024-12-25. Why not just start serving up the latest certificate?

So it runs locally and not remotely, so no certificate (private key) for your domain is in third party hands which you actually might want to revoke? Because if it's just locally, there's no need to revoke.

How does revoking come into play with "get the certificate working again"?

It's probably a better idea to just explain what you have and what you want, so we can help you with that, instead of asking for something very specifically which probably isn't necessary, such as revoking a certificate.

Just to clarify what others are saying:

The only reason to revoke a Certificate is when the Private Key has been compromised. If you're doing a fresh install, or anything like that - you can just forget the Certificate ever existed*. If you've accidentally deleted your Private Key, you can also just forget the Certificate ever existed.

When you revoke a Certificate, you're not just removing it locally - you're setting forth a global mechanism across the SSL ecosystem that reports the Certificate as Invalid and Untrustworthy. That's just not necessary in these situations.

* If you can move the Certificate, Key and Account info to the new server - you should do that.

On Home Assistant if you go to the indicated domain, you will see that the certificate has expired. This is handled by the DuckDns Addon. If I restart the addon this log appears

# INFO: Using main config file /data/workdir/config

Processing green-home.duckdns.org

+ Checking domain name(s) of existing cert... unchanged.

+ Checking expire date of existing cert...

+ Valid till Feb 22 00:47:17 2025 GMT (Longer than 30 days). Skipping renew!

You might also want to check on https://community.home-assistant.io/ the Home Assistant community forum as well.

currently if you go to the domain indicated by your network the certificate that appears is this one and not the ones created subsequently

That sounds more like a Home Assistant configuration issue and I'm not sure if revoking the certificate would change any of that.

Maybe it's as simple as restarting Home Assistant?

Correct, just start using the latest certificate issued, which would be this certificate crt.sh | 15882574253

Edit

Seeing this makes me believe that Add-on thinks this is the certificate in uses crt.sh | 15610062460

You want the Add-on and Home Assistant to be in sync having the same certificate perspective, and that should be the lastest issued certificate.

I could try to create a new one with certbot without setting up crontab for renewal. once this expires I think the addon will take care of renewing it. Do you think this could be a solution?

Does the "addon" also use Certbot? If not, how would it know how to use the cert issued with Certbot?

Edit:
Looking at the DuckDNS addon code it doesn't use Certbot, but a different ACME client. So that's a no-go.

I agree, but I don't understand why duckdns then notices that there is a certificate that hasn't expired and consequently doesn't update. all certificates created in December were created with certbot or Caddy on another server using the same domain.

The developers might be a better resource for that question, here addons/duckdns at master · home-assistant/addons · GitHub

Does Home Assistant and Caddy place the certificates and private keys in the same location as Certbot?
How are the certificates and private keys being copied to the target server?

Good morning everyone, I uninstalled the addon, loaded an old Home Assistant backup and now the certificate has renewed successfully. Thank you all for your patience