Joel Always one syllable, sometimes "@jayroh"

Weeknotes for the week ending Apr.22

22 Apr 2022

Revoke LetsEncrypt Certs in Traefik’s acme.json File

First, credit where credit is due to Daniel and Senan in this Traefik issue. To them I say “thank you”.

Second, a little context. In the past few months I’ve been tinkering with self-hosting some of my own apps, as well as some services at home. Among the things I’ve been experimenting with are Traefik, a “cloud native proxy”. One of the nice things Traefik does is generates and sets up LetsEncrypt certificates if you set all the things up correctly. It takes some tinkering but once you get it, it’s really nice.

Now, all of the above is true until you potentially run into the time where you need to revoke one of those certs. Perhaps you would like to move to another host? Or switch to Nginx? Searching for a solution to that will result in many pages talking about the recent forced-revocation of certificates:

Let’s Encrypt sent me an email that our certificates which were checked with a CAA record will be revoked tomorrow because of a bug in the implementation.

… lots of that.

So - how do you revoke and delete the cert Traefik had generated?

The answer lies in extracting the key and cert from the generated acme.json file generated by Traefik. To do so you can utilize

  1. Utilize the jq tool to dig into that JSON file
  2. Pipe into base64 to decode it and
  3. And then redirect STDOUT to a tmp file.

In the following example, my LetsEncrypt info is nested within the dnsimple key as they are the DNS provider I use to resolve LetsEncrypt requests. Also yourdomain.pizza is neither my domain, nor one that’s registered (Yet? So have at it).

cat acme.json \
  | jq -r ".dnsimple .Certificates | .[] | select(.domain.main == \"yourdomain.pizza\").key" \
  | base64 --decode \
  > /tmp/tmp.key

cat acme.json \
  | jq -r ".dnsimple .Certificates | .[] | select(.domain.main == \"yourdomain.pizza\").certificate" \
  | base64 --decode \
  > /tmp/tmp.cert

After generating those two temp files you can revoke, and optionally delete, your domain’s cert with the following:

letsencrypt revoke \
  -d "yourdomain.pizza" \
  --key-path /tmp/tmp.key \
  --cert-path /tmp/tmp.cert

This was all incredibly annoying. Annoying enough that it warrants recording it here for posterity for my own selfish purposes, and possibly for the next poor soul trying to figure this out and maybe googling for something that brings this post up. If that’s you? Good luck. I hope this works.