Today I had to revoke a cert for the first time. I did see a cert in the CT logs (issued yesterday) that I did not issue and because (I thought) I don’t use any automated renewal processes I asked my hosting provider if there was a login into the DNS API (I use DNS-01). Then, I wanted to revoke it. I requested a cert for the domain with certbot and then downloaded the cert from crt.sh and tried to revoke it after this guide. The output was something like
there is no certificate like the one provided.
After I thought about it for a while I remembered that I had made some certs for the domain 2 months ago and looked for them. My client (acme.sh) did somehow (although I thought I disabled it) renew these certs. I found the new one and could revoke the certificate by referring to the new one.
This is probably because Let’s Encrypt only submits Precerts to the CT logs now (because the SCTs have to be embedded after the cert was submitted). So if I download the cert from crt.sh I only download the Precert, right? Is it possible to somehow get the leaf cert? Or could LE accept Precerts for revocation? Is there another way I didn’t think of?
Non-logging of final certificates
@jsha, could you address this question related to the new CT logging behavior and revocation?
I think you’re right that the precertificate from crt.sh will not work to revoke. As a workaround, you can get the final certificate by taking the serial number from the precertificate in hex (remove any colons) and appending it to https://acme-v01.api.letsencrypt.org/acme/cert/. This will download a DER formatted certificate. To make Certbot happy you may need to convert it to PEM with
openssl x509 -inform der -in FILENAME -out FILENAME.pem.
I’ll discuss with the team better ways to solve this, most likely by submitting final certificates to CT as well as precertificates.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.