Revoke SSL Certificate


#1

Hello -

I issued an SSL Certificate with Let’s Encrypt, but had to delete the droplet. Was this enough to revoke the SSL certificate? Or do I need to do anything else before issuing another certificate on another droplet for the same domain?

My domain is: quantumstat.us

I ran this command:

It produced this output:

My web server is (include version): Apache

The operating system my web server runs on is (include version): ubuntu 18.10 x64

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#2

Hi @mlima

you don’t need to revoke a certificate if you need a new certificate.

You should only revoke a certificate if the private key is stolen / comprimised etc.

So if you delete your private key, you don’t need to revoke something.

But there are rate limits.

So if you use container, you should save certificates outside, so you can reuse the same certificate with different containers.

Create one certificate, then use it 60 - 85 days.


#3

Thank you @JuergenAuer.

I tried to issue another certificate for the new droplet by running the following command: $ sudo certbot certonly --webroot -w /var/www/html/ -d quantumstat.us. I got the following response:

(I checked the ip address with nslookup and was able to confirm the IP Address was correct) . Do you know why I got this error?


#4

Then your webroot may be wrong.

Your main configuration looks ok ( https://check-your-website.server-daten.de/?q=quantumstat.us ):

Domainname Http-Status redirect Sec. G
http://quantumstat.us/
157.230.84.173 302 http://quantumstat.us/auth/researchcenter/login?next=%2F 0.220 D
http://www.quantumstat.us/
157.230.84.173 200 0.217 H
http://quantumstat.us/auth/researchcenter/login?next=%2F 200 0.217 H
https://quantumstat.us/
157.230.84.173 -2 1.313 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 157.230.84.173:443
https://www.quantumstat.us/
157.230.84.173 -2 1.330 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 157.230.84.173:443
http://quantumstat.us/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
157.230.84.173 404 0.217 A
NOT FOUND
http://www.quantumstat.us/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
157.230.84.173 404 0.220 A
Not Found

Port 80 is open, /.well-known/acme-challenge/unknown-file sends the expected http status 404.

So create the two subdirectories

/var/www/html/.well-known/acme-challenge

there a file (file name 1234) and try to load this file via

http://www.quantumstat.us/.well-known/acme-challenge/1234

to check if your webroot is correct.


#5

@JuergenAuer - you’re correct the webroot was wrong I think. I created a flask application on /var/www/html/researchcenter/app/. And my configuration file reads as follows:

<Directory /var/www/html/researchcenter/app/>
Order allow,deny
Allow from all

I created the directories ‘.well-known’ and ‘/acme-challenge/’ and a text file inside the /app/ folder. However, http://quantumstat.us/.well-known/acme-challenge/8012FKgalxzVjIVdLuJ44jHBSFr_mSE4osYEEpa8iiY.txt was not found. Any suggestions?


#6

The text file (file name 1234) must be in your

/.well-known/acme-challenge

subfolder. So if

/var/www/html/researchcenter/app/

is your webroot, create

/var/www/html/researchcenter/app/.well-known/acme-challenge

and there a file

/var/www/html/researchcenter/app/.well-known/acme-challenge/1234

If this is correct, you must be able to load this file with your browser.


#7

sorry, the file is inside /var/www/html/researchcenter/app/.well-known/acme-challenge/ but can’t load it. I restarted apache after adding the file


#8

Then this

isn’t your real webroot. Or there are internal redefinitions (location - elements with /.well-known or /.well-known/acme-challenge) to other directories.


#9

@JuergenAuer, couldn’t find /.well-known or /.well-known/acme-challenge in other directories.


#10

Then first step: Find your webroot and create there a file you can load via

http://www.quantumstat.us/1234

and

http://quantumstat.us/1234

#11

Uhm, what’s that?

Checking

http://quantumstat.us/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

shows a page with links (Data, Blog etc.).

Checking

http://www.quantumstat.us/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

there is the raw Apache file:

Not Found

The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.
Apache/2.4.34 (Ubuntu) Server at www.quantumstat.us Port 80

So your non-www and your www version have different content.


#12

Blog, Data, etc. pages were created on quantumstat.com ( a different domain). I have a flask application for quantumstat.us. I added a 1234.txt file on /var/www/html directory. http://www.quantumstat.us/1234.txt works but not http://quantumstat.us/1234.txt


#13

Then quantumstat.us perhaps uses the same webroot as quantumstat.com


#14

it’s being hosted by a different web host provider.


#15

But why shows this file

these informations?

You have different webroots, you can create one certificate with different domain names and different webroots.

-w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.net -d m.thing.net

#16

Please confirm the webroot matches the document root.

You might be able to find the document root within the output of:
grep -Eri 'root|servern|servera|listen|host' /etc/apache2


#17

@rg305 - here is the response:

/etc/apache2/mods-available/userdir.conf: UserDir disabled root
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-available/info.conf: # Uncomment and change the “192.0.2.0/24” to allow access from other hosts.
/etc/apache2/mods-available/ssl.conf: ## the main server and all SSL-enabled virtual hosts.
/etc/apache2/mods-available/ssl.conf: # Whether to forbid non-SNI clients to access name based virtual hosts.
/etc/apache2/mods-available/ssl.conf: #SSLStrictSNIVHostCheck On
/etc/apache2/mods-available/status.conf: # with the URL of http://servername/server-status
/etc/apache2/mods-available/status.conf: # Uncomment and change the “192.0.2.0/24” to allow access from other hosts.
/etc/apache2/mods-available/vhost_alias.load:LoadModule vhost_alias_module /usr/lib/apache2/modules/mod_vhost_alias.so
/etc/apache2/mods-available/cache_disk.conf: CacheRoot /var/cache/apache2/mod_cache_disk
/etc/apache2/mods-available/cache_disk.conf: # put this into the configuration for just one virtual host.
/etc/apache2/mods-available/authz_host.load:LoadModule authz_host_module /usr/lib/apache2/modules/mod_authz_host.so
/etc/apache2/mods-available/reqtimeout.conf: # mod_reqtimeout per virtual host.
/etc/apache2/mods-available/reqtimeout.conf: # Note: Lower timeouts may make sense on non-ssl virtual hosts but can
/etc/apache2/mods-available/reqtimeout.conf: # cause problem with ssl enabled virtual hosts: This timeout includes
/etc/apache2/sites-enabled/researchcenter.conf:<VirtualHost *:80>
/etc/apache2/sites-enabled/researchcenter.conf: ServerName quantumstat.us
/etc/apache2/sites-enabled/researchcenter.conf: ServerAdmin info@quantumstat.com
/etc/apache2/sites-enabled/researchcenter.conf:
/etc/apache2/sites-enabled/researchcenter.conf:<VirtualHost *:80>
/etc/apache2/sites-enabled/researchcenter.conf: ServerName www.quantumstat.us
/etc/apache2/sites-enabled/researchcenter.conf: ServerAdmin info@quantumstat.com
/etc/apache2/sites-enabled/researchcenter.conf:
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-available/000-default.conf: # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf: # specifies what hostname must appear in the request’s Host: header to
/etc/apache2/sites-available/000-default.conf: # match this virtual host. For the default virtual host (this file) this
/etc/apache2/sites-available/000-default.conf: # value is not decisive as it is used as a last resort host regardless.
/etc/apache2/sites-available/000-default.conf: # However, you must set it for any further virtual host explicitly.
/etc/apache2/sites-available/000-default.conf: #ServerName www.example.com
/etc/apache2/sites-available/000-default.conf: ServerAdmin webmaster@localhost
/etc/apache2/sites-available/000-default.conf: DocumentRoot /var/www/html
/etc/apache2/sites-available/000-default.conf: # include a line for only one particular virtual host. For example the
/etc/apache2/sites-available/000-default.conf: # following line enables the CGI configuration for this host only
/etc/apache2/sites-available/000-default.conf:
/etc/apache2/sites-available/researchcenter.conf:<VirtualHost *:80>
/etc/apache2/sites-available/researchcenter.conf: ServerName quantumstat.us
/etc/apache2/sites-available/researchcenter.conf: ServerAdmin info@quantumstat.com
/etc/apache2/sites-available/researchcenter.conf:
/etc/apache2/sites-available/researchcenter.conf:<VirtualHost *:80>
/etc/apache2/sites-available/researchcenter.conf: ServerName www.quantumstat.us
/etc/apache2/sites-available/researchcenter.conf: ServerAdmin info@quantumstat.com
/etc/apache2/sites-available/researchcenter.conf:
/etc/apache2/sites-available/default-ssl.conf:
/etc/apache2/sites-available/default-ssl.conf: ServerAdmin webmaster@localhost
/etc/apache2/sites-available/default-ssl.conf: DocumentRoot /var/www/html
/etc/apache2/sites-available/default-ssl.conf: # include a line for only one particular virtual host. For example the
/etc/apache2/sites-available/default-ssl.conf: # following line enables the CGI configuration for this host only
/etc/apache2/sites-available/default-ssl.conf: # Enable/Disable SSL for this virtual host.
/etc/apache2/sites-available/default-ssl.conf:
/etc/apache2/conf-available/security.conf:# Optionally add a line containing the server version and virtual host
/etc/apache2/conf-available/security.conf:# Set to “EMail” to also include a mailto: link to the ServerAdmin.
/etc/apache2/conf-available/security.conf:# If you use version control systems in your document root, you should
/etc/apache2/conf-available/localized-error-pages.conf:# even on a per-VirtualHost basis. If you include the Alias in the global server
/etc/apache2/conf-available/localized-error-pages.conf:# ServerAdmin email address regardless of the setting of ServerSignature.
/etc/apache2/conf-available/other-vhosts-access-log.conf:# Define an access log for VirtualHosts that don’t define their own logfile
/etc/apache2/conf-available/other-vhosts-access-log.conf:CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
/etc/apache2/ports.conf:# have to change the VirtualHost statement in
/etc/apache2/ports.conf:Listen 80
/etc/apache2/ports.conf: Listen 443
/etc/apache2/ports.conf: Listen 443
/etc/apache2/apache2.conf:# virtual hosts, and extra configuration directives as flexible as possible, in
/etc/apache2/apache2.conf:# supposed to determine listening ports for incoming connections which can be
/etc/apache2/apache2.conf:# global configuration fragments, or virtual host configurations,
/etc/apache2/apache2.conf:# ServerRoot: The top of the directory tree under which the server’s
/etc/apache2/apache2.conf:#ServerRoot “/etc/apache2”
/etc/apache2/apache2.conf:# HostnameLookups: Log the names of clients or just their IP addresses
/etc/apache2/apache2.conf:HostnameLookups Off
/etc/apache2/apache2.conf:# If you do not specify an ErrorLog directive within a
/etc/apache2/apache2.conf:# container, error messages relating to that virtual host will be
/etc/apache2/apache2.conf:# logged here. If you do define an error logfile for a
/etc/apache2/apache2.conf:# container, that host’s errors will be logged there and not here.
/etc/apache2/apache2.conf:# Include list of ports to listen on
/etc/apache2/apache2.conf:# not allow access to the root filesystem outside of /usr/share and /var/www.
/etc/apache2/apache2.conf:# access here, or in any related virtual host.
/etc/apache2/apache2.conf:LogFormat “%v:%p %h %l %u %t “%r” %>s %O “%{Referer}i” “%{User-Agent}i”” vhost_combined
/etc/apache2/apache2.conf:# Include the virtual host configurations:


#18

There are some “discrepancies”…

Please show:
ls -l /etc/apache2/sites-enabled/
ls -l /etc/apache2/sites-available/

[the enabled folder should be just symlinks]


#19

Both:
/etc/apache2/sites-enabled/researchcenter.conf
/etc/apache2/sites-available/researchcenter.conf

lack a
DocumentRoot


#20

If quantumstat.us & www.quantumstat.us serve the same content (from same DocumentRoot)…
You can merge/combine them into single block with:
ServerName quantumstat.us
ServerAlias www.quantumstat.us