Insufficient authz for names in cert during revocation

Hello,

I am trying to revoke a cert using the end-entity certificate and the private key used in generating the cert, but for whatever reason, I'm getting the error:

acme.messages.Error: urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: unable to revoke :: requester does not control all names in cert with serial "fa61ef2a7b4c982461a94c24c0402dded6f4"

Not really sure how to proceed with this error.

Any help will be appreciated.

What's the Certbot command you are using to perform the revocation?

It looks like Certbot is trying to revoke using the account key, not the certificate key.

See this part of the documentation for how to specify revocation using the certificate key.

5 Likes

I can't find this cert:

I suspect there are names on there that you don't control.
Which can be caused by using CDN type services.

4 Likes

That's strange. I am able to look it up using this website: SSL & CSR Decoder unless you're referring to other non-public tools.
There's only one domain in the CN(and SAN) which is the one I got the cert for initially.

Observer Issuer Information from that link: STAGING

Oh, I can't revoke staging certs?

I think you may be doing it incorrectly.
See post #2.

3 Likes

Well Staging Environment - Let's Encrypt
"Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing."

Therefor I see NO Reason to support Revoking of those Certificate since there were never SAFE to begin with.

The staging environment is there for testing.
The revoking process (albeit very uncommon) should be tested, and thus, should be included.

6 Likes

Staging supports revocation the same as production. You do have to revoke against the environment that issued it.

9 Likes

My BIG mistake! :frowning:
Thank you @rg305 & @mcpherrinm for correcting me. :slight_smile:

4 Likes

Oversight.

5 Likes

So, I am using the acme py library and calling the respective revoke functions like:

acme.client.ClientV2('staging-url/directory', net=acme.client.ClientNetwork(pk)).revoke(cert, 0)

cert is a <ComparableX509(<OpenSSL.crypto.X509 object at 0x7fe6e57dbdc0>)> object which was used in encoding the end-entity cert.

Apologies if this is off-limits to non-certbot related discussions.

1 Like

If the pk is the private key of the certificate, then it should work.

5 Likes

Yes.
I just needed to format the private key (pk) into a JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7f7b40ea0940>)>) type of object.

Thanks for the help.

4 Likes

Thanks for sharing the solution you found—that's very specific and might be relevant to somebody else some day!

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.