Revoking certificates without having the account or private key

My domain is:
bitwise.solutions
I ran this command:
certbot certonly --manual --preferred-challenges=http -d bitwise.solutions It succedded
then
certbot revoke --cert-path ~/332695916.crt --key-path /etc/letsencrypt/live/bitwise.solutions/privkey.pem
It produced this output:
The client lacks sufficient authorization :: Revocation request must be signed by private key of cert to
be revoked, by the account key of the account that issued it, or by the account key of an account that ho
lds valid authorizations for all names in the certificate.

My web server is (include version):
nginx 1.10.3
The operating system my web server runs on is (include version):
Debian 9
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

If you're trying to revoke an old certificate for which you no longer have the ACME account private key, or certificate private key, then you can follow the procedure documented here: Revoking certificates - Let's Encrypt

You shouldn't need to provide --key-path, you just need to have recently issued an ~identical certificate completed a successful authorization for the same domains under the ACME account key from which you're revoking the certificate.

Here's an example usage.

  1. On one Certbot installation I have issued a staging certificate for b.foo.monkas.xyz .

     $ sudo ./certbot-auto certonly -d b.foo.monkas.xyz -a manual --staging --register-unsafely-without-email
    
  2. I complete delete all of the private keys from that Certbot installation. I've downloaded the certificate PEM from crt.sh file to a new environment with a blank Certbot.

  3. If I try to revoke the certificate from the new ACME account key, it doesn't work:

     $ sudo ./certbot-auto revoke --cert-path ./revoke.pem --staging
     Saving debug log to /var/log/letsencrypt/letsencrypt.log
     An unexpected error occurred:
     The client lacks sufficient authorization :: Revocation request must be signed by private key of cert to be revoked, by the account key of the account that issued it, or by the account key of an account that holds valid authorizations for all names in the certificate.
     Please see the logfiles in /var/log/letsencrypt for more details.
    
  4. So then I issue a new certificate using the same certonly command from the new account key.

    $ sudo ./certbot-auto certonly -d b.foo.monkas.xyz -a manual --staging --register-unsafely-without-email
    
  5. I try the revocation again (against the old certificate from the old ACME account key), and it now works:

     $ sudo ./certbot-auto revoke --cert-path ./revoke.pem --staging
     Saving debug log to /var/log/letsencrypt/letsencrypt.log
     -------------------------------------------------------------------------------
     Would you like to delete the cert(s) you just revoked?
     -------------------------------------------------------------------------------
     (Y)es (recommended)/(N)o: N
    

If you follow this operational template, you should be able to succeed.

2 Likes

Hi @daramousk,

@_az provided a wonderful explanation to accomplish the task but, what is the reason to revoke the cert?, if your key has not been stolen or compromised somehow there is no need to revoke the cert.

Cheers,
sahsanu

1 Like

Hello and thank you for taking time to respond to this.

I am not sure I quite understand, what do you do differently in 4 and 5? I do not have the old ACME account key.

Yes I am able to get a new do a successful authorization (both http and dns) and yes I am able to get a certificate and revoke it, but there are two old ones on https://crt.sh/?q=bitwise.solutions that I want removed.

I go on and download them in PEM format, put them in my filesystem and try to revoke them, but I get the error on 3.

If you’re having problems revoking the 916 certificate, take note that you need to have authorization for ALL of the names.

        X509v3 Subject Alternative Name: 
            DNS:bitwise.solutions
            DNS:www.bitwise.solutions

If you’re missing the www authorization on the new ACME account key, then you’ll be denied authorization to the revocation. I would guess that that’s your problem.

2 Likes

yep that was it,

Thank you for your help _az, much appreciated.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.