How can I revoke certificates and destroy the account key?


#1

we had a security breach (it looks like php was used as an attack vector for redis, to create root access) and the letsencrypt-auto install was compromised.

does anyone know the easiest way to report/revoke ?


#2

To my understanding, revoking the account is not possible.

Please, devs, give us a possibility for self-destroying an account-key.
While I’m not hacked, this shortcoming is the thing preventing me from using LE for real.


#3

@sheelx86 is correct, unfortunately: There’s currently no programmatic way to disable an account. It’s now an option in the spec, and we need to implement it. This is a good reason to bump up the priority. For now, email security@letsencrypt.org with the details of your account. They’ll need the contents of /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/*/meta.json if you use the official client, or your registration URL if not.


#4

Thank you, that’s good to hear.
But (sorry, I’m bothersome):
As described in “Account Key Roll-over” in the spec, the key can be changed. What if the attacker does so before the owner can react? Maybe it would help to accept the old key (too) for deletes (only), for eg. 30 days after the change, …


Account key compromise
#5

That’s an interesting idea! Would you propose it on the IETF ACME mailing list for further discussion?


#6

Done ( and extended, sorry for being annoying :slight_smile: )

(somehow, it didn’t get through … trying again later)


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.