[SOLVED] How To Remove Certificate Using Snapd

0rcaCPA · October 3, 2020, 6:09am

What is the easiest way to remove a certificate?

The issue is, I installed certbot with snapd so I think the command is different then here. This is the end of my skill set.

My domain is: orcanutrition.com

I ran this command:

certbot revoke --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

It produced this output:

sudo: certbot: command not found

My web server is (include version):

Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.8.0

_az · October 3, 2020, 5:44am

You might have to set up the command like so:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

This instruction got added recently to the instructions.

When deleting a certificate, make sure that you have removed any references to it from your webserver configuration. Otherwise, your webserver won't be able to restart.

rg305 · October 3, 2020, 5:48am

Why REVOKE ? ? ? ? ?

0rcaCPA · October 3, 2020, 5:56am

I removed the .conf file and the directory certbot made.

I entered the command you provided.

Then I ran

sudo certbot revoke --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

and got

certbot: error: argument --cert-path: No such file or directory

I am in /etc/letsencrypt/archive
orcanutrition.com directory no longer exists, is that the problem?

@rg305, this was the command I was provided

rg305 · October 3, 2020, 6:09am

REVOKE is a very strong and resource consuming action.
It is not to be taken just to delete a cert.
There is a command for that; It's called "delete".

So, then, why were you provided with that instruction?
What did you ask that led them to answer you that way?

_az · October 3, 2020, 6:09am

Indeed, you should not be manually deleting any files or directories under /etc/letsencrypt/. Once you do that, Certbot no longer understands how to interpret your commands.

Deletion should be done via certbot delete --cert-name <name>.

As yes, unless you believe somebody has stolen your private keys, there's no need for revocation.

0rcaCPA · October 3, 2020, 6:08am

Okay great thanks!

sudo certbot delete --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

I was reading this page:

https://letsencrypt.org/docs/revoking/

Osiris · October 3, 2020, 9:55am

But why?

Not sure about that.. The OCSP responses need to be signed anyway. Doesn't really matter if the response says "VALID" or "REVOKED".

rg305 · October 3, 2020, 6:20pm

Let's start with:
OCSP response signing is the majority of what our HSMs handle on a daily basis and shedding some load is a good idea.
-@phil
See: Why not revoke a certificate after renewal or end of use?

Osiris · October 4, 2020, 1:24am

@rg305 Your statement and link are not very useful (not at all to be exact). The quote about OCSP signing and HSM load does not mention the difference between a VALID or REVOKED OCSP status. The link you gave also doesn't make any distinction except for revoking possibly leading to a LOWER load.

OCSP responses need to be signed anyway...

rg305 · October 4, 2020, 1:45am

@Osiris, I don't work for LE, so I can't say with complete certainty.
But I have heard it said over the years that you should NOT revoke a certificate without cause because it add an unnecessary load to the HSM.
Maybe someone more familiar with this can chime in...
@schoen
@jsha

Osiris · October 4, 2020, 10:26am

It does add a little bit if you just count the amount of times the HSM has to sign anything:

1 signature for signing the certificate
10 signatures for OCSP (3 days lifetime) during the 90 day lifetime of the certificate

If you add a revocation, that OCSP response has to be signed immediately, so adds one to the already 11 signatures, making it 12.

For a sporadic revocation, that doesn't really matter on the 1.5+ millions of certificates issued per day, but an increase of 9 % load on the HSM if every certificate would be revoked during the lifetime of the certificate is a different story.

So personally, IMO revocation doesn't constitute a "very resource consuming action" if done in moderation.