Private keys compromised

My domain is:
innodocs.tech
https://crt.sh/?q=innodocs.tech

I ran this command:
certbot revoke --cert-path ./innodocs.tech.crt --key-path ./innodocs.tech.key
It produced this output:

Here is the sctructure of caddy-data:
.
└── caddy
├── acme
│ ├── acme-v02.api.letsencrypt.org-directory
│ │ ├── challenge_tokens
│ │ └── users
│ │ └── default
│ └── acme.zerossl.com-v2-dv90
│ └── challenge_tokens
├── certificates
│ ├── acme-v02.api.letsencrypt.org-directory
│ │ ├── innodocs.tech
│ │ │ ├── innodocs.tech.crt
│ │ │ ├── innodocs.tech.json
│ │ │ └── innodocs.tech.key
│ │ └── www.innodocs.tech
│ │ ├── www.innodocs.tech.crt
│ │ ├── www.innodocs.tech.json
│ │ └── www.innodocs.tech.key
│ └── acme.zerossl.com-v2-dv90
├── locks
└── ocsp
├── innodocs.tech-bd4f7d09
└── www.innodocs.tech-510ed96f

This is related with: Private keys compromised - Help - Caddy Community

My web server is (include version):
caddy 2

The operating system my web server runs on is (include version):
alpine

My hosting provider, if applicable, is:
Virtual machine on digital ocean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.14.0

Log file:

2021-05-02 17:27:54,728:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-05-02 17:27:55,197:DEBUG:certbot._internal.main:certbot version: 1.14.0
2021-05-02 17:27:55,197:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1093/bin/certbot
2021-05-02 17:27:55,197:DEBUG:certbot._internal.main:Arguments: ['--cert-path', './innodocs.tech.crt', '--key-path', './innodocs.tech.key', '--preconfigured-renewal']
2021-05-02 17:27:55,198:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-02 17:27:55,217:DEBUG:certbot._internal.log:Root logging level set at 20
2021-05-02 17:27:55,218:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-05-02 17:27:55,220:DEBUG:certbot._internal.main:Revoking /root/Nokia/innovativeproject-wiki/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/innodocs.tech/innodocs.tech.crt using certificate key /root/Nokia/innovativeproject-wiki/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/innodocs.tech/innodocs.tech.key
2021-05-02 17:27:55,239:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-05-02 17:27:55,241:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-05-02 17:27:55,777:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-05-02 17:27:55,779:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 May 2021 17:27:55 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "tJqZn_Zekz4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2021-05-02 17:27:55,781:DEBUG:certbot._internal.main:Reason code for revocation: 0
2021-05-02 17:27:55,781:DEBUG:acme.client:Requesting fresh nonce
2021-05-02 17:27:55,781:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-05-02 17:27:55,912:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-05-02 17:27:55,913:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 May 2021 17:27:55 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0103pt_cTRDemaCksoRZj5CxRjBYN7tPSxwfzD-naitmYx0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-05-02 17:27:55,914:DEBUG:acme.client:Storing nonce: 0103pt_cTRDemaCksoRZj5CxRjBYN7tPSxwfzD-naitmYx0
2021-05-02 17:27:55,914:DEBUG:acme.client:JWS payload:
b'{\n  "certificate": "MIIEVTCCAz2gAwIBAgISBKCHrh9qwO9RleWXpjldbtLLMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTA0MjkxMzQ2NDdaFw0yMTA3MjgxMzQ2NDdaMBgxFjAUBgNVBAMTDWlubm9kb2NzLnRlY2gwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASqA8v55xKLWOP-ZXAHM8grxdvM2TQXrl9EO9LCQYJNu2_qXeUljHuj7iI97biwHHAxxTCcAt5xYqYmW-3-9Ah-o4ICSDCCAkQwDgYDVR0PAQH_BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQwY81toTuNXMfxJCFAg3pVuGplQjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6-dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAYBgNVHREEETAPgg1pbm5vZG9jcy50ZWNoMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcARJRlLrDuzq_EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF5Hhi6MQAABAMASDBGAiEAqVSsWppNYlbxvmjZvCToPucZt9m5SHCZYmIDYREi4RICIQCFvtBRAL3yQJSBSFOa2avAm81d43GA_CdjQisqjev0ggB1AH0-8viP_4hVaCTCwMqeUol5K8UOeAl_LmqXaJl-IvDXAAABeR4YukwAAAQDAEYwRAIgZLmFRAZgUYUhEaWsSMr_5c0DvoLtPW2mtsSWzk_Zne8CIEPcpCQkLp9yFDzQKDT5QmDIqL6F9v8C4p7Sm1BZNRN4MA0GCSqGSIb3DQEBCwUAA4IBAQBxtl2HelOUhRlSqrkypN-esE4V-DsO6TtBwdkLNnbZUjJqBF5xmY9xo8V2a3H0sb8PWq24C3dkfC1yglz-BAzvGUFgiTs5pyn8GLMMJtwXg-mG1vRxZFVpmtPfbq35kcVKCB0ehF_8q8IA-ZmCOXoutC9a_nIAHCCnh6THRJ4pRh8Biz2KN7ej6soxtYloFeniVebrbMLG5ff_vP1q-_Elpsapwq4uIZGZghbCZO_agRkEPA3RC_ezarkMBfRMcPJ6wSwD7FaraYOa2AXC0NBCgSeJr0YNzeElf9jQwMZX8LURqN20Y1xRaR0zY1em6fppStSKz2zBufhEk1NPIECu",\n  "reason": 0\n}'
2021-05-02 17:27:55,915:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1093/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1435, in main
    return config.func(config, plugins)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1123, in revoke
    acme.revoke(jose.ComparableX509(cert), config.reason)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 934, in revoke
    return self.client.revoke(cert, rsn)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 770, in revoke
    return self._revoke(cert, rsn, self.directory['revokeCert'])
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 215, in _revoke
    response = self._post(url,
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 86, in _post
    return self.net.post(*args, **kwargs)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 1198, in post
    return self._post_once(*args, **kwargs)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 1208, in _post_once
    data = self._wrap_in_jws(obj, self._get_nonce(url, new_nonce_url), url, acme_version)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 1026, in _wrap_in_jws
    return jws.JWS.sign(jobj, **kwargs).json_dumps(indent=2)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/jws.py", line 53, in sign
    return super(JWS, cls).sign(payload, key=key, alg=alg,
  File "/snap/certbot/1093/lib/python3.8/site-packages/josepy/jws.py", line 266, in sign
    cls.signature_cls.sign(payload=payload, **kwargs),))
  File "/snap/certbot/1093/lib/python3.8/site-packages/josepy/jws.py", line 207, in sign
    assert isinstance(key, alg.kty)
AssertionError
2021-05-02 17:27:55,929:ERROR:certbot._internal.log:An unexpected error occurred:
2021-05-02 17:27:55,929:ERROR:certbot._internal.log:AssertionError
1 Like

Please add all relevant information to your opening post on this Community. Please don't just refer to a different forum and expect the volunteers of this Community to go over there and figure out what your current issue is.

2 Likes

You are right, sorry for that

1 Like

What shows:
certbot certificates

2 Likes

It looks like it has trouble signing the JWS structure with an account key. Was certbot used to retrieve the certificate in the first place?

1 Like

Doesn't look like it--Caddy obtains certificates automatically, but (apparently) doesn't have the ability to revoke them.

1 Like

It's implemented in the code:

But there's no CLI for it. (Literally not a requested feature for a web server...)

Anyway, account key is stored in the Caddy data directory, if that's needed.

1 Like

Well, you should be able to revoke with the private key and without the original account, as you've tried, but for some reason it fails with the JWS signing part.

Perhaps you simply have to run certbot register first to get a $random account so certbot can at least sign the JWS?

3 Likes

For some reason this is the output:

Apparently Im already registered:

I can't reproduce this locally unfortunately.

1 Like