Revoked certificate problem

My server: Ubuntu 18.04 LTS Apache/2.4.29 (Ubuntu)
Rackspace: shell access
certbot.main:certbot version: 0.31.0

I manage a name based hosting site.
We have 500 domain names with the same IP.

My best guess as of 11/17/2020 4:30 PM
A domain that I thought was revoked has become a problem. The letsencrypt revoke procedure showed that it was revoked successfully. The output is at the end of this post under ====

The domain has the old .pem files under /etc/letsencrypt/live/drfrankmartincir/
There currently are no files under /etc/letsencrypt/renewal/ for the domain name; however, I do not know if the renewal procedure (I use the plain vanilla Letsencrypt script)

I start and stop apache whenever I need to add or delete new Domains. The server gets restarted for some Ubuntu updates
For some reason Apache refused to start until the /etc/apache2/sites-enabled/drfrankmartincir-le-ssl.conf was restored from a prior backup

====
From my logs I see

cmd1: certbot revoke -n --cert-path /etc/letsencrypt/live/drfrankmartincir.com/cert.pem --reason superseded
opA1
Array
(
[0] =>
[1] => - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[2] => Deleted all files relating to certificate drfrankmartincir.com.
[3] => - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[4] =>
[5] => - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[6] => Congratulations! You have successfully revoked the certificate that was located
[7] => at /etc/letsencrypt/live/drfrankmartincir.com/cert.pem
[8] =>
[9] => - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
)

All my other sites and certs are behaving normally.

Why does Apache want an entry in /etc/apache2/sites-enabled/ for a certificate I revoked?
What can I do about it? I can manually edit any of the files I need to

1 Like

Hi @gmgj

why do you revoke the certificate if the private key is save? That's always wrong. Let it expire, that's all.

Revoking a certificate doesn't change any config file. If you restore an older config file that use the revoked certificate, the result is expected. Disable that site.

1 Like

Thanks for the reply! When we drop a site, we drop the DNS entries as well. We no longer control the name.
see my prior post
Renew fails no valid ip address

But you’re correct that the Subscriber Agreement requires that you revoke the certificate if you no longer control the domain. It’s in sections 3.2 and 3.7 (and possibly others).

What do you mean when you say disable the site?

There is no valid DNS entry for drfrankmartincir.com

My guess is disable means
delete all the letsencrypt files under /etc/letsencrypt for drfrankmartincir.com
and under /etc/apache

anything else I need to do?
I

1 Like

I believe I have found the source of my problem. When I revoke the cert, in this case it did not delete the apache file /etc/apache2/sites-enabled/drfrankmartincir-le-ssl.conf. (it was really mixed case
DrFrankMartinCIR-le-ssl.conf)

In order for apache to start, it wanted to see the .pem files.

So the following files where restored

/etc/letsencrypt/live/drfrankmartincir.com
/etc/letsencrypt/archive/drfrankmartincir.com

So if I delete the apache files for the domain
and the files
/etc/letsencrypt/live/drfrankmartincir.com
/etc/letsencrypt/archive/drfrankmartincir.com, do you think I will be okay?

1 Like

You should never have to directly delete any files in the /etc/letsencrypt/ folders.
When you need to delete an LE cert, use certbot delete.

1 Like

If you have a port 443 vHost with a certificate, that's deleted -> the error is expected.

Revoking / deleting certificates doesn't change your Apache / nginx config files.

So first step: Remove the certificate usage.

Never delete / revoke certificates that are used. And use always the official method, not a manual deleting. That breaks configuration files.

2 Likes