Unable to revoke the certificate, prompt AssertionError

Cx330-dev · December 25, 2024, 4:25pm

My domain is: homo1145.xyz

I ran this command:

root@HK-Azure-B1s-Ubuntu:~/diaoxiao# certbot revoke --cert-path /root/diaoxiao/status.homo1145.xyz-fullchain.pem --key-path /root/diaoxiao/status.homo1145.xyz-privkey.pem --reason keyCompromise -v

It produced this output:

root@HK-Azure-B1s-Ubuntu:~/diaoxiao# certbot revoke --cert-path /root/diaoxiao/status.homo1145.xyz-fullchain.pem --key-path /root/diaoxiao/status.homo1145.xyz-privkey.pem --reason keyCompromise -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
AssertionError
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

root@HK-Azure-B1s-Ubuntu:~/diaoxiao# tail -n 50 /var/log/letsencrypt/letsencrypt.log
2024-12-25 23:59:57,070:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-12-25 23:59:57,249:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2024-12-25 23:59:57,249:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 25 Dec 2024 15:59:57 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: WVWTDxmJakS1jGVJH8Hco1aHZ5YCL04ROlCeQcE1rRFfbcW_6lY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2024-12-25 23:59:57,249:DEBUG:acme.client:Storing nonce: WVWTDxmJakS1jGVJH8Hco1aHZ5YCL04ROlCeQcE1rRFfbcW_6lY
2024-12-25 23:59:57,250:DEBUG:acme.client:JWS payload:
b'{\n  "certificate": "MIIDhzCCAw2gAwIBAgISA9fKkQFlP4pY8KWLqzEMWYV2MAoGCCqGSM49BAMDMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJFNTAeFw0yNDEyMTYxNTAyMTNaFw0yNTAzMTYxNTAyMTJaMB4xHDAaBgNVBAMTE3N0YXR1cy5ob21vMTE0NS54eXowWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjwuB5nVLMMrb0O_6C0m9hos7Asqymxn3IldAA8W14707wRTs0OitG_EsWIdtLmNJjh1GDcT_UMK7PVtgXIPm6o4ICFTCCAhEwDgYDVR0PAQH_BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTGek2dz5CH6Js-5ifXCN5NPToKQzAfBgNVHSMEGDAWgBSfK1_PPCFPnQS37SssxMZwi9LXDTBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzAeBgNVHREEFzAVghNzdGF0dXMuaG9tbzExNDUueHl6MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAzxFW7tUufK_zh1vZaS6b6RpxZ0qwF-ysAdJbd87MOwgAAAGT0DNPaAAABAMARjBEAiB71_mpsm8SJPIAR91kgbB7X8Ax8je0nyBI8cjmkwgMKQIgNIsvzEPtZQs74PceyCRliksGfjKVvvd4mssC8sBrZVEAdwDgkrP8DB3I52g2H95huZZNClJ4GYpy1nLEsE2lbW9UBAAAAZPQM09bAAAEAwBIMEYCIQCq0t2sch45zCyU6v9T3QwSZV7oI8mJbqVpGV7Exc6tGQIhAP2p5oH6EgFbIlfwtsztV8psoIfUsx1AyXJ_HsKu0E-pMAoGCCqGSM49BAMDA2gAMGUCMQDDcm62wXKr7pz8zg1ZJfb1Ly78MpVTianZCTj7bJo_Zz_LBB43N432JkEhg8c0gOoCME4daR0wt9p4fbj9EbfxTdFHc9xa_Q8loUk1Eo2ZXdaDRR8szg7ki1fDw7sazVTgDg",\n  "reason": 1\n}'
2024-12-25 23:59:57,250:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1245, in revoke
    acme.revoke(jose.ComparableX509(cert), config.reason)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 991, in revoke
    self.client.revoke(cert, rsn)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 821, in revoke
    self._revoke(cert, rsn, self.directory['revokeCert'])
  File "/usr/lib/python3/dist-packages/acme/client.py", line 237, in _revoke
    response = self._post(url,
  File "/usr/lib/python3/dist-packages/acme/client.py", line 101, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1269, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1280, in _post_once
    data = self._wrap_in_jws(obj, self._get_nonce(url, new_nonce_url), url, acme_version)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1085, in _wrap_in_jws
    return jws.JWS.sign(jobj, **kwargs).json_dumps(indent=2)
  File "/usr/lib/python3/dist-packages/acme/jws.py", line 56, in sign
    return super().sign(payload, key=key, alg=alg,
  File "/usr/lib/python3/dist-packages/josepy/jws.py", line 278, in sign
    cls.signature_cls.sign(payload=payload, **kwargs),))
  File "/usr/lib/python3/dist-packages/josepy/jws.py", line 217, in sign
    assert isinstance(key, alg.kty)
AssertionError
2024-12-25 23:59:57,255:ERROR:certbot._internal.log:An unexpected error occurred:
2024-12-25 23:59:57,255:ERROR:certbot._internal.log:AssertionError

My web server is (include version): OpenResty v1.21.4.3-3-3-focal

The operating system my web server runs on is (include version): Ubuntu 22.04.5 LTS x86_64

My hosting provider, if applicable, is: CloudFlare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): 1Panel v1.10.2-lts

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Osiris · December 25, 2024, 4:53pm

Please update your ancient version of Certbot to something up to date (3.0.1 is the current version) and see if you got a more sensible error.

Bruce5051 · December 25, 2024, 5:34pm

@Cx330-dev why are you revoking a certificate?

Cx330-dev · December 26, 2024, 12:13am

Because my operation and maintenance panel previously exposed a highly dangerous CVE vulnerability, I have reason to suspect that my certificate has been leaked

Bruce5051 · December 26, 2024, 12:20am

That sounds valid to me.

Cx330-dev · December 26, 2024, 12:24am

@Osiris
Please update your ancient version of Certbot to something up to date (3.0.1 is the current version) and see if you got a more sensible error.

emmm，I just checked and the latest version of apt repository is only v1.21.0, but the latest version of snap is v3.0.1. I will switch to snap version to test whether there is a clearer error message.

Cx330-dev · December 26, 2024, 12:32am

I updated certbot and then found a weird issue, Certbot said it couldn't find my certificate files, but when I re-ran the command it said my certificate had been revoked

root@HK-Azure-B1s-Ubuntu:~/diaoxiao# certbot revoke --cert-path ./status.homo1145.xyz-fullchain.pem --key-path ./status.homo1145.xyz-privkey.pem --reason superseded -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you like to delete the certificate(s) you just revoked, along with all
earlier and later versions of the certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es (recommended)/(N)o: y
No match found for cert-path /root/diaoxiao/status.homo1145.xyz-fullchain.pem!
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@HK-Azure-B1s-Ubuntu:~/diaoxiao# ls
dosgame.homo1145.xyz-fullchain.pem  forward.homo1145.xyz-fullchain.pem  status.homo1145.xyz-fullchain.pem  tz.homo1145.xyz-fullchain.pem
dosgame.homo1145.xyz-privkey.pem    forward.homo1145.xyz-privkey.pem    status.homo1145.xyz-privkey.pem    tz.homo1145.xyz-privkey.pem
root@HK-Azure-B1s-Ubuntu:~/diaoxiao# cd /
root@HK-Azure-B1s-Ubuntu:/# cd /root
root@HK-Azure-B1s-Ubuntu:~# chmod 777 diaoxiao/
root@HK-Azure-B1s-Ubuntu:~# cd diaoxiao/
root@HK-Azure-B1s-Ubuntu:~/diaoxiao# certbot revoke --cert-path ./status.homo1145.xyz-fullchain.pem --key-path ./status.homo1145.xyz-privkey.pem --reason superseded -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
unable to revoke :: unable to re-revoke serial "03d7ca9101653f8a58f0a58bab310c598576" which is already revoked for keyCompromise
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@HK-Azure-B1s-Ubuntu:~/diaoxiao#

orangepizza · December 26, 2024, 2:38am

from crt.sh crt.sh | 15789232621 it did revoked

MikeMcQ · December 26, 2024, 3:16am

And, since you revoked for keyCompromise all other certificates that shared that private key were also revoked. Wasn't sure you knew this.

Such as dosgame: crt.sh | 15792549281
And tz: crt.sh | 15792549153
And forward: crt.sh | 15790130857

system · January 25, 2025, 3:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Letsencrypt-auto revoke returns "AssertionError" without details Help	3	1697	August 19, 2017
Error revoking certificate - trying to install SSL on same canonical and non-canonical domains Help	2	823	July 9, 2022
Error: unauthorized; Detail: invalid response Help	9	3157	February 5, 2020
Help needed to delete certificates Help	5	27987	May 1, 2018
Unable to revoke cert Help	6	54	February 19, 2025

Unable to revoke the certificate, prompt AssertionError

Related topics