Weeknotes for the week ending Apr.22
22 Apr 2022
Revoke LetsEncrypt Certs in Traefik’s
First, credit where credit is due to Daniel and Senan in this Traefik issue. To them I say “thank you”.
Second, a little context. In the past few months I’ve been tinkering with self-hosting some of my own apps, as well as some services at home. Among the things I’ve been experimenting with are Traefik, a “cloud native proxy”. One of the nice things Traefik does is generates and sets up LetsEncrypt certificates if you set all the things up correctly. It takes some tinkering but once you get it, it’s really nice.
Now, all of the above is true until you potentially run into the time where you need to revoke one of those certs. Perhaps you would like to move to another host? Or switch to Nginx? Searching for a solution to that will result in many pages talking about the recent forced-revocation of certificates:
Let’s Encrypt sent me an email that our certificates which were checked with a CAA record will be revoked tomorrow because of a bug in the implementation.
… lots of that.
So - how do you revoke and delete the cert Traefik had generated?
The answer lies in extracting the key and cert from the generated acme.json file generated by Traefik. To do so you can utilize
- Utilize the
jqtool to dig into that JSON file
- Pipe into
base64to decode it and
- And then redirect STDOUT to a tmp file.
In the following example, my LetsEncrypt info is nested within the
dnsimple key as they are the DNS provider I use to resolve LetsEncrypt requests. Also
yourdomain.pizza is neither my domain, nor one that’s registered (Yet? So have at it).
cat acme.json \ | jq -r ".dnsimple .Certificates | . | select(.domain.main == \"yourdomain.pizza\").key" \ | base64 --decode \ > /tmp/tmp.key cat acme.json \ | jq -r ".dnsimple .Certificates | . | select(.domain.main == \"yourdomain.pizza\").certificate" \ | base64 --decode \ > /tmp/tmp.cert
After generating those two temp files you can revoke, and optionally delete, your domain’s cert with the following:
letsencrypt revoke \ -d "yourdomain.pizza" \ --key-path /tmp/tmp.key \ --cert-path /tmp/tmp.cert
This was all incredibly annoying. Annoying enough that it warrants recording it here for posterity for my own selfish purposes, and possibly for the next poor soul trying to figure this out and maybe googling for something that brings this post up. If that’s you? Good luck. I hope this works.