Revocation of cert without the key, which was used while creating the same

Aim:

To revoke a certificate generated by Certbot without the key_path option.

Situation:

#1. We generate the CSR and get a cert from LE using --csr option given in the CertBot - and that’s successful

#2. The CSR generated by us has only one domain in it, for example “*.proxy.xyz.net” as CN.

Different types of revoke we tried:

#1. When we tried to revoke with just the cert path (can’t use key generated by us because of security reasons), it raised:
“The client lacks sufficient authorization” error.

#2. We tried the option given in the following link: https://letsencrypt.org/docs/revoking/#using-a-different-authorized-account (Creating a non-existent domain), it raised:
From the CSR: *.proxy.xyz.net
From command line/config: *.proxy.xyz.net, nonexistent.xyz.net

Can you please help us in providing a solution to this issue, how to revoke a cert with out the --key_path option. Blocked at this and couldn’t proceed. Thanks in advance.

It raised what?

This approach works just fine without any key reuse. Could you provide more information about what the output of Certbot was when you tried to do it?

I have a web-based revocation tool available too, which might be slightly easier (though only if you trust using a browser-based tool).

While generating the cert we gave only one option in CSR *.proxy.xyz.net as CN.
The cert got generated successfully from LE using certbot.

Later when I used the same cert in the cert path option for revocation, the only logs I got from Certbot was the below

From the CSR: *.proxy.xyz.net
From command line/config: *.proxy.xyz.net, nonexistent.xyz.net

I’m just going to drop an example here so you can see if it matches what you are doing. I still don’t understand how you get that output from Certbot.

I have a Certbot installation that is using a separate/fresh Let’s Encrypt account/key from the certificate I’m trying to revoke.

I’ve downloaded the certificate I want to revoke to revokeme.pem. It’s just a sing;e wildcard like yours: *.revokeme.foo.monkas.xyz .

When I try to revoke the certificate, as expected, it doesn’t work because I lack the authorization on that Let’s Encrypt account:

root@b3f488764f77:/# certbot revoke --cert-path revokeme.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
The client lacks sufficient authorization :: The key ID specified in the revocation request does not hold valid authorizations for all names in the certificate to be revoked
Please see the logfiles in /var/log/letsencrypt for more details.

OK.

So now I use the non-existent domain trick to gain the authorization to the domain I want to revoke:

root@b3f488764f77:/# certbot certonly -d *.revokeme.foo.monkas.xyz -d nonexistent.example.com \-a manual --manual-public-ip-logging-ok
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for revokeme.foo.monkas.xyz
http-01 challenge for nonexistent.example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.revokeme.foo.monkas.xyz with the following value:

GBBIiAQVy0Bci-Dx4eJioa6609MW441gYe_eAnXgnUA

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

GodQX_VOq1QyBUTNZO-Ffa_J940QzPxJGyi-caEELvA._EODt3LLjb8wPRj9UVIk-ZSsYQIaoPfdwLfRVGpB-cI

And make it available on your web server at this URL:

http://nonexistent.example.com/.well-known/acme-challenge/GodQX_VOq1QyBUTNZO-Ffa_J940QzPxJGyi-caEELvA

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nonexistent.example.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for nonexistent.example.com

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: nonexistent.example.com
  Type:   None
  Detail: DNS problem: NXDOMAIN looking up A for
  nonexistent.example.com

In the above, I only actually add the DNS record for the domain I want to revoke, I just press enter for the non-existent domain, without deploying the challenge response.

As a result of the above, this Let’s Encrypt account is now authorized to revoke the revokeme.pem certificate:

root@b3f488764f77:/# certbot revoke --cert-path revokeme.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you like to delete the cert(s) you just revoked, along with all earlier
and later versions of the cert?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es (recommended)/(N)o: Y
No match found for cert-path /revokeme.pem!

Nevermind that wonky looking error at the end of the output, it’s revoked. We can confirm by repeating the command:

root@b3f488764f77:/# certbot revoke --cert-path revokeme.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
Certificate already revoked
Please see the logfiles in /var/log/letsencrypt for more details.

Can you relate any of that to what you’ve been trying to do?

1 Like

I think that error message comes from running “certbot certonly --csr foo.csr -d '*.proxy.xyz.net' -d nonexistent.xyz.net”.

@sdivyareddy216, if that’s what you did, don’t specify the --csr with CSR when doing this step.

The point of that step is to validate the hostname and give your account a valid authorization for it, not to issue a certificate. It doesn’t matter what CSR is used.

1 Like

@mnordhoff, Sure Matt I tried without the csr option set… and set the dns challenge option for both the domains initially and failed as a TXT record couldn’t be added for the non-existent domain,

And faced

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nonexistent.abc.net
    Type: None
    Detail: DNS problem: REFUSED looking up TXT for
    _acme-challenge.nonexistent.abc.net

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    verifying the cert located at /etc/letsencrypt/live/cert_v2.pem matches the private key located at /etc/letsencrypt/keys/0000_key-certbot.pem has failed. Details: [(‘x509 certificate routines’, ‘X509_check_private_key’, ‘key values mismatch’)]
    Traceback (most recent call last):
    File “/a/lib/python3.5/site-packages/certbot/crypto_util.py”, line 293, in verify_cert_matches_priv_key
    context.use_privatekey_file(key_path)
    File “/a/lib/python3.5/site-packages/OpenSSL/SSL.py”, line 875, in use_privatekey_file
    self._raise_passphrase_exception()
    File “/a/lib/python3.5/site-packages/OpenSSL/SSL.py”, line 854, in _raise_passphrase_exception
    _raise_current_error()
    File “/a/lib/python3.5/site-packages/OpenSSL/_util.py”, line 54, in exception_from_error_queue
    raise exception_type(errors)
    OpenSSL.SSL.Error: [(‘x509 certificate routines’, ‘X509_check_private_key’, ‘key values mismatch’)]
    verifying the cert located at /etc/letsencrypt/live/cert_v2.pem matches the private key located at /etc/letsencrypt/keys/0000_key-certbot.pem has failed.

So now, I’m trying to do the http preferred challenge for the nonexistent domain along with the dns option for the actual? Is it possible to do both in the same certbot command certonly.

What command did you run?

Validating the nonexistent domain isn’t supposed to succeed.

1 Like

Thanks @mnordhoff, it worked fine after making few corrections by removing unnecessary commands.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.