General problems with certificates being revoked?(POSH-ACME client)

Hi there,

are there any known problems with requesting/renewing certificates?
All tries to renew or create new certificates with the POSH-ACME client return a certificate that is instantly being revoked.

I've tried this with different domains and machines, but the issue persists.

I've read that Let's Encrypt is testing some new features for short lived certificates, but could not find out if this is really connected to my issue.

I already tried requesting the certificate with the new -Profile flag, but if I use "classic" the certficates are still being revoked and if i try "shortlived" i get a message that I'm not permitted yet to use that option.

I also tried with different contact adresses and passwords, but no change.

Is the POSH-ACME working for anyone right now?

I'm using the PAServer LE_PROD and the following plugin flags:
-DnsPlugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'}

In January everything was working completely fine, without any changes on my side.

Any links to relevant topics would be helpful.

I'm not looking for a concrete solution, but rather want to know if others are facing the same issues.

I wanted to try certbot instead, but ran into the rate limit of 5 requests, so i will test on monday if that makes a difference.

Thanks in advance for any help.

P.S.: Sorry for not submitting my domain, but i currently don't feel comfortable with my domain being public on an internet forum for malicious actors to target me (more than already).

Did you revoke a cert with a reason of keyCompromise? Any later requests using that same key will be revoked. See: Revoking Certificates - Let's Encrypt
See Aaron's post below for correct info about this

It is not related

The production Let's Encrypt system only supports "classic" except for invited persons. You would know if you were invited. This is not related.

Different password? There is no password in the ACME API requests to Let's Encrypt. In any case, not related to revocation.

No one else is reporting problems here or at their github: GitHub · Where software is built

Domain names on certs are logged in public Certificate Transparency logs. There is no benefit to hiding your domain names. It just makes it more difficult for us to assess what could be happening.

It is almost certainly a problem with your cert workflow.

Let's Encrypt issues over 5 million certs per day. If there was a generalized problem like you describe it will be very clear to the LE monitoring systems

I would have thought that the CSR in the finalize call would have just been rejected, rather than succeeding and then getting revoked? Though it's certainly not something I've tested.

Would be helpful to know the revocation reason. Hard for anyone here to help without the domain name. Is a new private key being used for each request?

Posh-ACME currently re-uses cert private keys by default unless users supply an argument to force a new key (-AlwaysNewKey param).

Oh, maybe so. My recollection of how that is handled is not 100%

Hi @MikeMcQ ,

first of all, thank you for your reply.

Did you revoke a cert with a reason of keyCompromise? Any later requests using that same key will be revoked. See: Revoking Certificates - Let's Encrypt

I myself never revoked any certificate, that is the weird thing.
Even a completely new certificate for a new domain on a new machine is being revoked instantly.

I already thought that more people would ask if its a general issue.

Different password? There is no password in the ACME API requests to Let's Encrypt. In any case, not related to revocation.

I was talking about the certificate password here, not a lets encrypt password. I've read somewhere that if a password is on a know list of leaked passwords it could lead to a revokation.

I will do some more testing on monday with different settings and a different ACME client and will come back with more information if I'm not able to resolve the issue.

Thanks again for your reply and feedback

How are you determining that the cert is revoked?

I'm importing the pfx file into the windows cert store to view the full details and it always says "This certificate was revoked by the issuing authority". Unfortunately it doesn't show a reason for the revokation anywhere

I know that POSH-ACME reuses some settings, thats why i spun up a completely new AzureVM with a new IP, with a new domain that i haven't used with Let'sEncrypt before. But the issue persists.

I also tried it with the force parameter to force a new cert and without

Unfortunately i didn't receive details for a specific revokation reason.

I tested this again with my personal homelab domain, which i do not want to post here, but i will try to get a domain from my employer or customer on monday and test again and ask if i can publish the domain here for further debugging.

Also the HTTPS connection on my customers domain is not secured anymore when viewed in the browser, thats how i noticed the issue in the first place

There are two most likely explanations here:

• you own client is revoking the certificate, because it believes something has gone wrong with it; or
• you are issuing certificates for a domain that someone else also controls, and they are revoking the certificates immediately upon seeing them be issued in CT logs.

If pre-existing key compromise were the problem, they would never be issued in the first place.

It really is critical that you share the affected domain name here, so that we can look at the certificates and their revocation status to help debug. Otherwise we can only speculate.

A new VM wouldn't be able to re-use any existing private keys. So this implies there is something either environmentally weird with your config that is mistakenly reporting certs as revoked or you might be misinterpreting what you're seeing.

But echoing the others, there's really not much more folks here can do without the actual cert or domain to validate.

I totally understand. Thank you all for your quick replies @rmbolger @aarongable @petercooperjr @MikeMcQ

I will do my homework on monday and come back with more information.

Have a great weekend

Yeah, I think some screenshots might be helpful. Honestly any setup that includes manually importing pfx files is somewhat out of the norm and harder to understand; usually you would have your client automatically install your certs directly whereever they need to go.

I'm going to suggest a third possible option - a bug in the certificate viewer.

I suggest visiting https://crt.sh/ and look for the "revoked" certs (via domain name or cert serial) to confirm they were actually revoked. The public page for each cert will show if it is revoked and some general public info about the revocation (on a crl, ocsp, etc).

Hi @jvanasco that was a very helpful hint, thank you. The certificate was not actually being revoked, Windows only displayed it as revoked for some unknown reason. I did not have that issue before. I don't directly work with certificates that often, so I'm glad i got to know a new tool for troubleshooting.

@rmbolger thanks again to you too for questioning how i check if it's actually revoked, you were on the right track.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.