Don't rename certificate if it's not actually revoked #971
Description
I attempted to revoke a certificate that was issued by SSL.com. I made the mistake of not specifying the proper CA and it made the request against Let's Encrypt resulting in an error. However dehydrated still went ahead and renamed the certificate to revoked and removed the cert.pem symlink. I think this error handling could of been done better.
[root@test01:conf.d] dehydrated --revoke /certdeploy/certdeploy-sslcom.insaneinvestigations.com/cert.pem
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/certdeploy.sh
# INFO: Running /usr/bin/dehydrated as certdeploy/certdeploy
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/certdeploy.sh
Revoking /certdeploy/certdeploy-sslcom.insaneinvestigations.com/cert-1748277052.pem
+ ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/revoke-cert (Status 404)
Details:
HTTP/2 404
server: nginx
date: Mon, 26 May 2025 17:22:36 GMT
content-type: application/problem+json
content-length: 141
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: hsy8zaa5x5V9TARwiCGLjagX88Ek0g11ZbPnucnhZzC2gkZuHj8
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to revoke :: Certificate from unrecognized issuer",
"status": 404
}
+ Done.
+ Renaming certificate to /certdeploy/certdeploy-sslcom.insaneinvestigations.com/cert-1748277052.pem-revoked
[root@test01:conf.d]