Revoked cert n now cannot create a new cert n expire in 3 month


#1

i revoke my cert for host knnubt03oc.
tried google and it does not show revoke.
google still happily connect to this https page… button still green (hmm, )
tried mozilla firefox and work correctly to stop me access to the https page.
http for both still works.

now, i need to re-issue the cert,
then realized that i can no more issue a new cert on the same host.
i also cannot change the status of the revoke cert.
renew cert will happened in 03 months time.

therefore, will like to know how to work this issue i created.

  1. is there timeline the revoked cert be deleted?
  2. any feature for me to self service revoke and delete the cert so that i can re-issue again?
  3. do i have to destroy the VM (ipaddres sevice provider assigned) to start a new instance so that i can issue a new cert.
  4. how to manage my account, and what happen if i loss the backup of my
    "/etc/letsencrypt" or “/home/user/.acme” folder.

regards,
kuenn


#2

You didn’t need to revoke the certificate. The only time you should revoke a certificate is when your private key has been compromised.

I’m not familiar with how acme.sh works, but with the official client, I was able to simply delete the letsencrypt/archive folder, the letsencrypt/live folder, and the letsencrypt/renew folder and start again. I made sure I didn’t delete the letsencrypt/account folder.

No, definitely not.

I don’t know. If nobody here can help, you may have to ask on acme.sh’s github site.


#3

thank your for the hint, managed to work out the same for acme.sh.
re-cert successfully done.
this is what i need to do on the acme.sh tool.

Remove the old config file:

# mv /root/.acme.sh/<my_fqdn_name>/   /root/.acme.sh/<my_fqdn_name>-`date +%Y-%m-%d`
# 

Re-issue new cert

# /root/acme.sh/acme.sh --issue -d <my_fqdn_name> -w /var/www/html

Note:

  • i am running nginx n the default wwwRoot is /var/www/html/
  • i have to make sure that folder /var/www/html/.well-known/ exist

nginx configuration already done (/etc/nginx/sites-available/default file)
Restart service

 # service nginx restart

Work!!


#4

Excellent! :slight_smile:

I’m very happy you got it working!


#5

For what this is worth, or in case it comes in handy in the future here’s how revocation works

Revocation takes some time to be effective, so it is not surprising for it to not to make any difference immediately.

Note that revocation doesn’t “delete” anything, it can’t (doesn’t) reach out to your server to delete things on that, and deleting them wouldn’t have any proven effect because someone could have other copies.

Instead revocation consists of the CA (here Let’s Encrypt) periodically creating a new signed document which says either that it revokes the original certificate or that the certificate is still OK. Software which is interested in whether your certificate has been revoked can ask the CA for this document via OCSP the Online Certificate Status Protocol.

Google’s Chrome browser does not use OCSP for ordinary HTTPS sites. Google decided that on balance the benefits were outweighed by the downside for users, you can read about their rationale in their own documentation. For Firefox, OCSP is usually “soft fail” which means it is not terribly effective, but reduces the annoyance for end users.

Some day in the future, perhaps a few years from now, we hope to achieve widespread “Must-staple-OCSP”, which means the web server provides the proof that the certificates it has are still valid to every client, but even under Must-staple-OCSP it can take several days before a revocation takes effect. As DarkSteve explained, most people should not need to revoke certificates, it’s a drastic option, maybe the client software should explain that and ask you if you’re really sure before doing it.