[SOLVED] How To Remove Certificate Using Snapd

Help
1

What is the easiest way to remove a certificate?

The issue is, I installed certbot with snapd so I think the command is different then here. This is the end of my skill set.

My domain is: orcanutrition.com

I ran this command:

certbot revoke --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

It produced this output:

sudo: certbot: command not found

My web server is (include version):

Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.8.0

2

You might have to set up the command like so:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

This instruction got added recently to the instructions.

When deleting a certificate, make sure that you have removed any references to it from your webserver configuration. Otherwise, your webserver won't be able to restart.

3

Why REVOKE ? ? ? ? ?

4

I removed the .conf file and the directory certbot made.

I entered the command you provided.

Then I ran

sudo certbot revoke --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

and got

certbot: error: argument --cert-path: No such file or directory

I am in /etc/letsencrypt/archive
orcanutrition.com directory no longer exists, is that the problem?

@rg305, this was the command I was provided

5

REVOKE is a very strong and resource consuming action.
It is not to be taken just to delete a cert.
There is a command for that; It's called "delete".

So, then, why were you provided with that instruction?
What did you ask that led them to answer you that way?

6

Indeed, you should not be manually deleting any files or directories under /etc/letsencrypt/. Once you do that, Certbot no longer understands how to interpret your commands.

Deletion should be done via certbot delete --cert-name <name>.

As yes, unless you believe somebody has stolen your private keys, there's no need for revocation.

7

Okay great thanks!

sudo certbot delete --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

I was reading this page:

Revoking Certificates - Let's Encrypt

8

But why?   

Not sure about that.. The OCSP responses need to be signed anyway. Doesn't really matter if the response says "VALID" or "REVOKED".

9

Let's start with:
OCSP response signing is the majority of what our HSMs handle on a daily basis and shedding some load is a good idea.
-@phil
See: Why not revoke a certificate after renewal or end of use?

10

@rg305 Your statement and link are not very useful (not at all to be exact). The quote about OCSP signing and HSM load does not mention the difference between a VALID or REVOKED OCSP status. The link you gave also doesn't make any distinction except for revoking possibly leading to a LOWER load.

OCSP responses need to be signed anyway...

11

@Osiris, I don't work for LE, so I can't say with complete certainty.
But I have heard it said over the years that you should NOT revoke a certificate without cause because it add an unnecessary load to the HSM.
Maybe someone more familiar with this can chime in...
@schoen
@jsha

12

It does add a little bit if you just count the amount of times the HSM has to sign anything:

  • 1 signature for signing the certificate
  • 10 signatures for OCSP (3 days lifetime) during the 90 day lifetime of the certificate

If you add a revocation, that OCSP response has to be signed immediately, so adds one to the already 11 signatures, making it 12.

For a sporadic revocation, that doesn't really matter on the 1.5+ millions of certificates issued per day, but an increase of 9 % load on the HSM if every certificate would be revoked during the lifetime of the certificate is a different story.

So personally, IMO revocation doesn't constitute a "very resource consuming action" if done in moderation.