Hi, would it be possible to obtain mass revocations of all SSL certificates issued under my domains?
My server recently got compromised. (I wiped it off, but didn't think of taking out /etc/letsencrypt beforehand so I can't revoke them, and I don't see all of them on crt.sh to do the "revocation from another account" method)
Hmm, I think you could achieve these revocations pretty quickly by retrieving copies of the certificates from Certificate Transparency logs (for example, using http://crt.sh/) and then feeding them to certbot revoke with a for loop in bash or similar. Not very elegant, but it will get the job done.
for certfile in *.crt; do
certbot revoke --reason keycompromise --delete-after-revoke --cert-path $certfile
but these are often unique subdomains though
I really have to validate each of them?
it's weird that I can't revoke a certificate with just a single domain that I authorized
I can only imagine in cases where revocation is impossible because someone issued a fraudulent certificate with both the domain name they want to target and their own
Ultimately, if you don't have the original account key, you don't have the cert private key, and you can't validate ownership of the names in the cert, you won't be able to revoke the cert via ACME. The protocol just doesn't support any other methods of revocation. Human intervention is required and I don't know if Let's Encrypt has any standard procedures to deal with a situation like that.
With a non-ACME CA, presumably there would be some sort of web or email based account verification procedure that effectively takes the place of the ACME account key. But it's still likely going to be a human assisted process.
If I recall correctly, a CA has its own responsibility with these situations. If a CA "learns" that a certain certificates private key has been compromised, as far as I know most if not all root certificate stores require the CA to take action.
I don't know if LE has something written in their CPS which would exonorate them from these kinds of clausules from root certificate stores?
That said, the CA would need some kind of proof of course.. Otherwise everybody could claim the private key for the certificate of $high_profile_site has been compromised.
That's exactly right. We ask subscribers to do self-service revocation if at all possible; we're a small team, and our mission depends on automation. If there's no alternative, then we can manually validate and revoke, as required.
It sounds like HTTP-01 validation won't work in your setup - is that right? Then if DNS-01 is your best option, many ACME clients (including Certbot) are able to use your DNS provider's API to manage validation records. Could that work for you?
There will be a little setup involved: getting your client set up to use the API, and writing a loop to validate control of all the hostnames, then revoke. We can help you with all of this here.