Revoking a lost certificate


#1

How does one revoke (or recover) a lost certificate?


#2

You can find your certificate in the public certificate logs.

Example: https://crt.sh/?Identity=%kelunik.com%&iCAID=7395

You will need either your account’s private key or your domain private key.


#3

I’ve just checked my domain name on crt.sh at it turns out letsencrypt created 5 different certificates for it so I’ve effectively reached the limit.

Given that

You will need either your account’s private key or your domain private key.

how do I actually go about revoking all these certificates?

Using letsencrypt obviously won’t work as due to my stupidity I’ve removed the actual certificates.


#4

You’ve removed all of Let’s Encrypts directories and stuff? Including the private keys? :grimacing:


#5

Well, you can probably recover your account, download the certificate from the log and then revoke it, but is it worth the trouble? Probably not. If the keys are lost, nobody can abuse it. :stuck_out_tongue_winking_eye:


#6

@Osiris, nah, not that stupid :smile:. I did purge the archives directory though which contained all the previously issues certificates.

@kelunik, I am more so trying to revoke them all to bypass the rate limit of 5 certs. Would you be able to clarify how I could go about recovering my account and getting access to the logs?


#7

I already sent you the link to the logs. I just read something about account recovery in the spec, didn’t implement it yet, so I don’t know how it works.

You can’t issue any new certs if you revoke previous certificates. The rate limit is not affected by revocation.


#8

I see.

I assumed otherwise based on this community post.


#9

If I’m not mistaken the rate limit is 5 per week and the certs will be revoked once they expire correct?


#10

They’re not revoked in the sense that they’re pushed to revocation lists and such. Clients simply stop accepting them as they’re expired (validFrom and validTo are part of the certificate; clients compare those dates with the current system time). Same result, different mechanism. :smile:


#11

That’s correct, revocation won’t reset the limit. However, the limit does expire in 7 days.

In the meantime if you’d like to continue testing Let’s Encrypt, you can use the staging server. It has much higher rate limits but doesn’t produce valid, trusted certificates. Add the --server https://acme-staging.api.letsencrypt.org/directory flag to your client command line.