Can't revoke certificate issued by compromised host


#1

Two older domains of mine, freenic.org and freenic.zone, were pointed to a host I no longer have control over, and the new owner of the server used that fact to issue certificates via Let’s Encrypt to themselves, and added themselves as Google Webmaster owners (which I’ve since fixed). I’ve moved the DNS for those domains to my own nameservers with DNSSEC, which just return NXDOMAIN for any queries, so future verifications shouldn’t be possible, but I need the currently issued certificates revoked.

I followed the instructions at https://letsencrypt.org/docs/revoking/ to attempt to verify all the domains I own on the certificate, and revoke them via certbot. That resulted in this error:

An unexpected error occurred:
The client lacks sufficient authorization :: The key ID specified in the revocation request does not hold valid authorizations for all names in the certificate to be revoked

I would imagine this is because the malicious certificate in question also contains the domain at-homemeals.com, which is not mine.

What else can I do to get that certificate revoked?


#2

Please email security@letsencrypt.org with the above text. Someone will advise you through that channel.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.