Skip to content

Instantly share code, notes, and snippets.

@EnigmaCurry

EnigmaCurry/revoke.md

Last active December 23, 2024 21:13
Show Gist options
  • Save EnigmaCurry/e50a321be93d665fa8a37fba8102bbed to your computer and use it in GitHub Desktop.
Save EnigmaCurry/e50a321be93d665fa8a37fba8102bbed to your computer and use it in GitHub Desktop.
Download ZIP
Raw
revoke.md

How to revoke Traefik TLS certificates

Create local temporary directory on your workstation

mkdir ~/t6

Copy your Traefik keys to your workstation

docker cp traefik-traefik-1:/data/acme-production.json ~/t6/

# your container and or file may be named differently.

Dump Traefik certs:

podman run --rm -it -v ~/t6:/stuff:Z --workdir /stuff \
    docker.io/ldez/traefik-certs-dumper:latest \
    file --version v2 --source acme-production.json

Revoke certificates with certbot (do this for each domain cert you wish to revoke):

DOMAIN=example.com
[email protected]
podman run --rm -it -v ~/t6:/stuff:Z --workdir /stuff \
    docker.io/certbot/certbot:latest \
    revoke \
    -m "$EMAIL" \
    --cert-path "dump/certs/$DOMAIN.crt" \
    --key-path "dump/private/$DOMAIN.key"

You may get this error:

No match found for cert-path /stuff/dump/certs/example.com.crt!

But if you try the command agagin you may get this error:

An unexpected error occurred:
unable to revoke :: unable to re-revoke serial "XXXXXX" which is already revoked for keyCompromise

So this means the prior revocation did succeed.

Check your service in a web browser, and you should immediately see the revocation error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment