Revoking certificate fails when using different account than originally creating the certificate
bruncsak opened this issue · 1 comments
I created a certificate with account A, but revoking the certificate with account B fails with the following error:
{
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "The certificate being revoked is not associated with account "1"",
"status": 403
}
(Of course, before trying to revoke all required identifiers are authorized in the account B)
I interpret the RFC8555 that using different account should be a permitted way to revoke a certificate.
Is my interpretation incorrect?
Reading RFC8555 there are two cases where Account B can revoke a certificate created by Account A:
- Account B is authorized for all of the identifiers in the certificate, or
- Account B submits a revocation request with the JWS signed by the private key of the certificate
Pebble implements (2) and I'm able to successfully revoke that method using
certbot unregister -n
certbot revoke --cert-path /etc/letsencrypt/live/revoke.example.com/cert.pem \
--key-path /etc/letsencrypt/live/revoke.example.com/privkey.pem -n
What you're hitting, I think, is that Pebble does not implement (1):
Lines 2561 to 2565 in 087582e