Acme errors while revoking a cert

(Michael (Parker) Parker) #1

I am trying to revoke a LE cert that was generated with caddy. caddy will start fine with the cert that is there but I can’t revoke it -revoke <domain>

I have ran caddy with the -revoke flag and the domain I am attempting to remove. I have the key and cert information in the .caddy folder under my user.

The following is what is the response

2018/04/10 12:40:44 acme: Error 403 - urn:acme:error:unauthorized - Revocation request must be signed by private key of cert to be revoked, by the account key of the account that issued it, or by the account key of an account that holds valid authorizations for all names in the certificate.

(Matt Holt) #2

Hmm, I haven’t tested revocation too seriously with the ACMEv2 yet, it’s possible this needs a little polishing. :slight_smile: I’ll look into it with xenolf!

PS. Don’t revoke a certificate unless you’ve lost your private key or control over DNS.

(Michael (Parker) Parker) #3

I was revoking my cert because I was changing away from caddy. I need to revoke the certs to renew them under the new setup.

(Matt Holt) #4

You shouldn’t need to revoke them in order to do a renewal by a different client. (Why are you switching, by the way?) It could be a bug or misconfiguration in whatever ACME client you’re now using, if it can’t get a cert.

(Michael (Parker) Parker) #5

Sorry it took so long to reply to this.

Currently the site runs in a docker container and I was moving it out to an nginx based one. I have a docker volume for the .caddy folder for the cert files. Honestly I was just opening a forum post asking what I could be doing wrong to revoke a cert. I guess this should have been a github issue then as it seems like it’s a bug instead.

(Matt Holt) #6

Thanks for explaining. It is a bug per se, but don’t bother opening an issue about it, since it’s known, and the reason is that the upstream library that implements it is still in development (the revoke feature is not finished yet).