Revoking Certs created through ZeroSSL web interface for Lets Encrypt


#1

I’ve hit the limit for Certificates on one of my sub domains as I am new to the technology I’d been using multiple private keys and generating new accounts per sub-domain. I was trying to get them all under 1 Private Key/Account and I’ve hit the limit of cert’s for a specific sub-domain. I’m sure in my rush I don’t have all the information to revoke them all but I can prove I own the domain and need the cert’s that can be revoked… revoked.

Is there some way to get this done? I’ve been using ZeroSSL to generate my cert’s via there web interface.


#2

In order to revoke the certificates, you would need either the private key of your certificate or your account key. There is no other way to revoke certificates that’s available to you under these circumstances.

If you still have the account key, but not all of the individual certificates, you can try searching for certificates issued to your domain on https://crt.sh/, download the individual certificates, and revoke them using the account key, for example via certbot revoke --cert-path /path/to/cert_from_crt.sh.pem.

Since you’ve mentioned rate limits: If your goal was to revoke the certificates to reset your rate limit counters, that won’t work. The resource that’s being rate limited is Let’s Encrypt’s capacity to sign certificates (and OCSP responses for those certificates), and not the number of active (non-expired) certificates that exist in general. Revoking a certificate does not decrease the resource usage, so it doesn’t affect the rate limit counter either. Your only option here is to wait a week from the first issuance, so maybe you won’t have to bother with revocation at all.


#3

It’s not that I have persay hit the rate limit zerossl’s message is I have hit the limit for that domain of SSL’s I can have…so I figured if I revoked some it would work again.

https://crt.sh/?Identity=%elitepc.us&iCAID=16418 <-- as you see I have 5 SSL’s listed for mineos I figured if I revoked some (even just 2) that would disappear and I could then reissue a proper one over the right private key keeping them in line with other ssl’s I had issued.


#4

Revoking a cert won’t make them “disappear”…


#5

Technically I could add a revocation feature on ZeroSSL, but I’m not sure it is something many would ever need to be honest. Also, as it was pointed out here earlier, revocation would not “free” any slots for new domain names.

Normally the limits are rather generous and you should be able to get new certificates soon. You could also put multiple (up to 100) names on a single certificate (though with large amount of domains I would recommend some automation put in place - for example by using le.pl, rather than using interactive online client).


#6

Alex,

At the time I found your interface I was brand new to the letsencrypt technology. My issue with clients have been my domain names are IPv6 only so to have your website which does verification via a txt record was really nice. If the le.pl client supports txt verification for DNS I’d be happy to look into it.

My reason for needing certificates is I am building a massive Web Based Application for a client using MySQL, Node JS, PHP, and a few other technologies and in test I slapped them all behind an HAProxy at my house on my lab and HAProxy is actually automatically loading the right domain based on the host_hdr record and from their selects the right certificate from a folder before passing the connection to the end point.

If le.pl does the txt record dns verification then it coud “theoretically” be one of the missing links for automating this whole web application.

thanks,
Vantz


#7

Indeed it does. Actually, if you know Perl a little, you could also easily extend it to add/remove text records in your DNS automatically.

Regarding the LE rate limits, I will probably mention those specifically on “How to use” pages, even though those are unlikely to be triggered often. Hopefully it will be helpful anyway.


#8

Alex,

I appreciate taking the time to explain this a little further. While I don’t per say know perl, I didn’t know Docker, HAproxy, or NodeJS before starting this project. I’m a dinosaur I like my PHP it just works lol but with changing times come evolving technology. I’m sure I could figure out how to use GoDaddy’s API and automate the text records. Again thanks for your help and I appreciate such a quick response.

Vantz


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.