[SOLVED] How To Remove Certificate Using Snapd

What is the easiest way to remove a certificate?

The issue is, I installed certbot with snapd so I think the command is different then here. This is the end of my skill set.

My domain is: orcanutrition.com

I ran this command:

certbot revoke --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

It produced this output:

sudo: certbot: command not found

My web server is (include version):

Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.8.0

1 Like

You might have to set up the command like so:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

This instruction got added recently to the instructions.

When deleting a certificate, make sure that you have removed any references to it from your webserver configuration. Otherwise, your webserver won't be able to restart.


Why REVOKE ? ? ? ? ?

1 Like

I removed the .conf file and the directory certbot made.

I entered the command you provided.

Then I ran

sudo certbot revoke --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

and got

certbot: error: argument --cert-path: No such file or directory

I am in /etc/letsencrypt/archive
orcanutrition.com directory no longer exists, is that the problem?

@rg305, this was the command I was provided

1 Like

REVOKE is a very strong and resource consuming action.
It is not to be taken just to delete a cert.
There is a command for that; It's called "delete".

So, then, why were you provided with that instruction?
What did you ask that led them to answer you that way?


Indeed, you should not be manually deleting any files or directories under /etc/letsencrypt/. Once you do that, Certbot no longer understands how to interpret your commands.

Deletion should be done via certbot delete --cert-name <name>.

As yes, unless you believe somebody has stolen your private keys, there's no need for revocation.


Okay great thanks!

sudo certbot delete --cert-path /etc/letsencrypt/archive/orcanutrition.com/cert1.pem

I was reading this page:


1 Like

But why?   

Not sure about that.. The OCSP responses need to be signed anyway. Doesn't really matter if the response says "VALID" or "REVOKED".

Let's start with:
OCSP response signing is the majority of what our HSMs handle on a daily basis and shedding some load is a good idea.
See: Why not revoke a certificate after renewal or end of use?

@rg305 Your statement and link are not very useful (not at all to be exact). The quote about OCSP signing and HSM load does not mention the difference between a VALID or REVOKED OCSP status. The link you gave also doesn't make any distinction except for revoking possibly leading to a LOWER load.

OCSP responses need to be signed anyway...

@Osiris, I don't work for LE, so I can't say with complete certainty.
But I have heard it said over the years that you should NOT revoke a certificate without cause because it add an unnecessary load to the HSM.
Maybe someone more familiar with this can chime in...

It does add a little bit if you just count the amount of times the HSM has to sign anything:

  • 1 signature for signing the certificate
  • 10 signatures for OCSP (3 days lifetime) during the 90 day lifetime of the certificate

If you add a revocation, that OCSP response has to be signed immediately, so adds one to the already 11 signatures, making it 12.

For a sporadic revocation, that doesn't really matter on the 1.5+ millions of certificates issued per day, but an increase of 9 % load on the HSM if every certificate would be revoked during the lifetime of the certificate is a different story.

So personally, IMO revocation doesn't constitute a "very resource consuming action" if done in moderation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.