Query and Revoke authorized client

Hey,

i would like to know if there is any way to query which clients are authorized to enroll certificates from Lets Encrypt?
how to revoke a client authorization?
what certificates each client have issued?

i am new managing my domain and dont know the scope of previous uses of letsencrypt's service in my domain.

thanks alot
Dor

1 Like

Check the certificate transparency logs on a site like https://crt.sh

It won't tell you which client asked for a certificate but it will tell you if there are unexpired certificates you don't recognize.

4 Likes

To elaborate on @9peppe's response:

This does not exist. Authorization is ephemeral and requires a specific "Account" demonstrating authority over the domain within the past 30 days. The Account is simply a RSA Private Key, optionally with an email address.

There is no way to list current valid authorizations for a domain. LetsEncrypt typically caches a successful challenge response to an account for up to 30 days.

A domain owner can revoke existing certificates from the issuing account or by proving ownership through another account. This is generally not needed except if a system has been compromised, or you are worried about a former employee with ill intentions who had access to the keys. In those cases, creating a new account (which means a new Account Key) and issuing new certificates is the first step. If the system was compromised, revoking the certificates is not only prudent, but required by the Terms of Service. For staff turnover, revocation is usually not needed.

Certificate Transparency logs will show all issued certificates (and their pre-certificates).

4 Likes

It's worth stating that the client apps that can get a cert from LE for your domain are either running on the webserver for that domain, or have write access to your DNS to create TXT records (or there is a CNAME pointing elsewhere and the client can write to the other domain).

So while you can't easily revoke stuff for an LE account you don't control, you can control which services are present on your domain and who has the current credentials for your DNS, as long as you are in charge of DNS for the domain.

6 Likes

You can also mandate that particular CAs are allowed to issue certs using a CAA record in your DNS (e.g. not include Let's Encrypt), and set it to only allow issuance from the CA of your choice (.e.g. digicert).

There was talk of an CAA extension which could limit issuance to specific CA accounts but I don't think that has been implemented anywhere.

6 Likes

Looked out the resource you pasted. But i still not understand.

For exaple if my webserver was compermised i will

  1. Revoke all the issued certificates for that webserver
  2. How i prevent the authorisation key that was on the certbot for example on the server to issue new certificate?

From what i understand after i have authorized and get the key i can ask a new certificate from anywhere with that key.

Existing validations are cached for 30 days with Let's Encrypt, so there is a 30 day window where a compromised account key could get a certs if the included domains are previous validated for that account. Thereafter they would have to prove domain control as normal (e.g. via http validation or DNS validation).

To delete your account (before starting a new one) I believe you can use certbot unregister. ACME does provide an Account Key Rollover feature but I don't know how to do that with certbot.

2 Likes