Private keys compromised

1. Caddy version (caddy version):

caddy 2

2. How I run Caddy:

I use this image: Docker Hub

FROM caddy:2-alpine

WORKDIR /app
COPY Caddyfile /etc/caddy/Caddyfile
COPY --from=builder /app/build /var/www/html

a. System environment:

Docker (caddy on alpine)

b. Command:

I just use docker-compose to build/run container with caddy image.

c. Service/unit/compose file:

version: "3.8"
services: 
  backend:
    container_name: backend-container
    restart: always
    build: ./backend
    ports: 
      - "3001:80"
  
  frontend:
    container_name: frontend-container
    restart: always
    build: ./frontend
    ports:
      - "443:443"
      - "80:80"
    volumes:
      - "./caddy-data:/data"
        #depends_on: 
        #- "backend"
        #stdin_open: true # docker run -i
        #tty: true        # docker run -t


d. My complete Caddyfile or JSON config:

https://www.innodocs.tech {
	redir https://innodocs.tech{uri}
}

https://innodocs.tech {
	root * /var/www/html
	file_server
	try_files {path} /index.html
}

3. The problem I’m having:

I accidentally pushed private key (caddy data folder) on public github repository and now I have a hard time to revoke ssl certs.

Here is the sctructure of caddy-data:
.
└── caddy
β”œβ”€β”€ acme
β”‚ β”œβ”€β”€ acme-v02.api.letsencrypt.org-directory
β”‚ β”‚ β”œβ”€β”€ challenge_tokens
β”‚ β”‚ └── users
β”‚ β”‚ └── default
β”‚ └── acme.zerossl.com-v2-dv90
β”‚ └── challenge_tokens
β”œβ”€β”€ certificates
β”‚ β”œβ”€β”€ acme-v02.api.letsencrypt.org-directory
β”‚ β”‚ β”œβ”€β”€ innodocs.tech
β”‚ β”‚ β”‚ β”œβ”€β”€ innodocs.tech.crt
β”‚ β”‚ β”‚ β”œβ”€β”€ innodocs.tech.json
β”‚ β”‚ β”‚ └── innodocs.tech.key
β”‚ β”‚ └── www.innodocs.tech
β”‚ β”‚ β”œβ”€β”€ www.innodocs.tech.crt
β”‚ β”‚ β”œβ”€β”€ www.innodocs.tech.json
β”‚ β”‚ └── www.innodocs.tech.key
β”‚ └── acme.zerossl.com-v2-dv90
β”œβ”€β”€ locks
└── ocsp
β”œβ”€β”€ innodocs.tech-bd4f7d09
└── www.innodocs.tech-510ed96f

4. Error messages and/or full log output:

5. What I already tried:

(1) certbot revoke --cert-path ./innodocs.tech.crt --key-path ./innodocs.tech.key

6. Links to relevant resources:

Did you check those log files quoted in the command output?

We can’t really give support for certbot here.

But once you have it revoked, all you need to do is delete data from Caddy’s storage, then reload Caddy, and it’ll fetch a fresh certificate with a fresh key.

Thanks for quick answer, yes I did check log file but I sadly don’t understand anything from it.

Here is the content (key has been already compromised so I haven’t deleted any lines from it):

2021-05-02 17:27:54,728:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-05-02 17:27:55,197:DEBUG:certbot._internal.main:certbot version: 1.14.0
2021-05-02 17:27:55,197:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1093/bin/certbot
2021-05-02 17:27:55,197:DEBUG:certbot._internal.main:Arguments: ['--cert-path', './innodocs.tech.crt', '--key-path', './innodocs.tech.key', '--preconfigured-renewal']
2021-05-02 17:27:55,198:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-02 17:27:55,217:DEBUG:certbot._internal.log:Root logging level set at 20
2021-05-02 17:27:55,218:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-05-02 17:27:55,220:DEBUG:certbot._internal.main:Revoking /root/Nokia/innovativeproject-wiki/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/innodocs.tech/innodocs.tech.crt using certificate key /root/Nokia/innovativeproject-wiki/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/innodocs.tech/innodocs.tech.key
2021-05-02 17:27:55,239:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-05-02 17:27:55,241:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-05-02 17:27:55,777:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-05-02 17:27:55,779:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 May 2021 17:27:55 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "tJqZn_Zekz4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2021-05-02 17:27:55,781:DEBUG:certbot._internal.main:Reason code for revocation: 0
2021-05-02 17:27:55,781:DEBUG:acme.client:Requesting fresh nonce
2021-05-02 17:27:55,781:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-05-02 17:27:55,912:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-05-02 17:27:55,913:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 02 May 2021 17:27:55 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0103pt_cTRDemaCksoRZj5CxRjBYN7tPSxwfzD-naitmYx0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-05-02 17:27:55,914:DEBUG:acme.client:Storing nonce: 0103pt_cTRDemaCksoRZj5CxRjBYN7tPSxwfzD-naitmYx0
2021-05-02 17:27:55,914:DEBUG:acme.client:JWS payload:
b'{\n  "certificate": "MIIEVTCCAz2gAwIBAgISBKCHrh9qwO9RleWXpjldbtLLMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTA0MjkxMzQ2NDdaFw0yMTA3MjgxMzQ2NDdaMBgxFjAUBgNVBAMTDWlubm9kb2NzLnRlY2gwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASqA8v55xKLWOP-ZXAHM8grxdvM2TQXrl9EO9LCQYJNu2_qXeUljHuj7iI97biwHHAxxTCcAt5xYqYmW-3-9Ah-o4ICSDCCAkQwDgYDVR0PAQH_BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQwY81toTuNXMfxJCFAg3pVuGplQjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6-dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAYBgNVHREEETAPgg1pbm5vZG9jcy50ZWNoMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcARJRlLrDuzq_EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF5Hhi6MQAABAMASDBGAiEAqVSsWppNYlbxvmjZvCToPucZt9m5SHCZYmIDYREi4RICIQCFvtBRAL3yQJSBSFOa2avAm81d43GA_CdjQisqjev0ggB1AH0-8viP_4hVaCTCwMqeUol5K8UOeAl_LmqXaJl-IvDXAAABeR4YukwAAAQDAEYwRAIgZLmFRAZgUYUhEaWsSMr_5c0DvoLtPW2mtsSWzk_Zne8CIEPcpCQkLp9yFDzQKDT5QmDIqL6F9v8C4p7Sm1BZNRN4MA0GCSqGSIb3DQEBCwUAA4IBAQBxtl2HelOUhRlSqrkypN-esE4V-DsO6TtBwdkLNnbZUjJqBF5xmY9xo8V2a3H0sb8PWq24C3dkfC1yglz-BAzvGUFgiTs5pyn8GLMMJtwXg-mG1vRxZFVpmtPfbq35kcVKCB0ehF_8q8IA-ZmCOXoutC9a_nIAHCCnh6THRJ4pRh8Biz2KN7ej6soxtYloFeniVebrbMLG5ff_vP1q-_Elpsapwq4uIZGZghbCZO_agRkEPA3RC_ezarkMBfRMcPJ6wSwD7FaraYOa2AXC0NBCgSeJr0YNzeElf9jQwMZX8LURqN20Y1xRaR0zY1em6fppStSKz2zBufhEk1NPIECu",\n  "reason": 0\n}'
2021-05-02 17:27:55,915:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1093/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1435, in main
    return config.func(config, plugins)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1123, in revoke
    acme.revoke(jose.ComparableX509(cert), config.reason)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 934, in revoke
    return self.client.revoke(cert, rsn)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 770, in revoke
    return self._revoke(cert, rsn, self.directory['revokeCert'])
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 215, in _revoke
    response = self._post(url,
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 86, in _post
    return self.net.post(*args, **kwargs)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 1198, in post
    return self._post_once(*args, **kwargs)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 1208, in _post_once
    data = self._wrap_in_jws(obj, self._get_nonce(url, new_nonce_url), url, acme_version)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/client.py", line 1026, in _wrap_in_jws
    return jws.JWS.sign(jobj, **kwargs).json_dumps(indent=2)
  File "/snap/certbot/1093/lib/python3.8/site-packages/acme/jws.py", line 53, in sign
    return super(JWS, cls).sign(payload, key=key, alg=alg,
  File "/snap/certbot/1093/lib/python3.8/site-packages/josepy/jws.py", line 266, in sign
    cls.signature_cls.sign(payload=payload, **kwargs),))
  File "/snap/certbot/1093/lib/python3.8/site-packages/josepy/jws.py", line 207, in sign
    assert isinstance(key, alg.kty)
AssertionError
2021-05-02 17:27:55,929:ERROR:certbot._internal.log:An unexpected error occurred:
2021-05-02 17:27:55,929:ERROR:certbot._internal.log:AssertionError

Looks like a python type assertion error of somekind. You’ll need to ask on https://community.letsencrypt.org/ for help with certbot.

2 Likes

Thanks, I asked there.