Let’s Encypt: удалить сертификат

Автор: | 22/01/2018
 

Начали приходить уведомления об ошибках обновления сертификатов для некоторых dev-доменов, надо поудалять неиспользуемые сертификаты.

Документация – тут>>>.

Всё есть в помощи:

[simterm]

# /opt/letsencrypt/letsencrypt-auto -h
...
manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path)
    delete          Delete a certificate
...

[/simterm]

Проверяем список имеющихся сертификатов:

[simterm]

# /opt/letsencrypt/letsencrypt-auto certificates | grep -A 4 -e global-e-shop.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/global-e-shop.domain.com/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/preview.jm-website-sw-dev.domain.ms/cert.pem is unknown
  Certificate Name: global-e-shop.domain.com
    Domains: global-e-shop.domain.com
    Expiry Date: 2017-10-31 08:28:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/global-e-shop.domain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/global-e-shop.domain.com/privkey.pem

[/simterm]

Собственно – вот и два сертификата, на DNS записей уже не существует:

Revocation status for /etc/letsencrypt/live/global-e-shop.domain.com/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/preview.jm-website-sw-dev.domain.ms/cert.pem is unknown

Вызываем letsencrypt-auto с опцией revoke, передаём путь к файлу сертификата, после его отзыва Let’s Encrypt предложит удалить и все связанные с ним файлы:

[simterm]

# /opt/letsencrypt/letsencrypt-auto revoke --cert-path /etc/letsencrypt/archive/global-e-shop.domain.com/cert1.pem 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
--------------------------------------------------------------------------
Would you like to delete the cert(s) you just revoked?
--------------------------------------------------------------------------
(Y)es (recommended)/(N)o: 
(Y)es (recommended)/(N)o: y

--------------------------------------------------------------------------
Deleted all files relating to certificate global-e-shop.domain.com.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Congratulations! You have successfully revoked the certificate that was located
at /etc/letsencrypt/archive/global-e-shop.domain.com/cert1.pem
--------------------------------------------------------------------------

[/simterm]

Готово.