0

Finding existing accounts (by key) and revocation

Hi,

while testing the Ansible ACME client, I found some things which might be of interest:

1. When trying to look up an account from its public key without specifying onlyReturnExisting:true (which is only available for ACME v2), one needs to specify a contact email and agree to the terms. Other implementations only give errors about that when the account does not exist (and would be created, but can't because that's missing). This makes it impossible to revoke a certificate via ACME v1 with the account key without knowing the account URI or the user's email address (or without risking creating an account).

2. I noticed that I cannot revoke certificates with their private key. I always get:

{
  "code": 400,
  "detail": "The key is unknown",
  "details": "HTTP 400 Bad Request",
  "message": "MALFORMED_BAD_REQUEST",
  "type": "urn:ietf:params:acme:error:malformed"
}

3. When trying to revoke certificates with the account key via ACME v2, I get:

{
  "code": 500,
  "details": "HTTP 500 Internal Server Error",
  "message": "INTERNAL_SERVER_ERROR"
}

(All my tests were with the staging API endpoint.)

Best regards,

Felix

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi Felix Fontein

     

    1.       We improved our solution according to the suggested flow and this is available now in our test environment.

    2.       We do not support revocation requests that are signed with the key pair in the certificate at the moment.

    3.       The issue is resolved.

     

    Regards,

    Andriy

    Like 1
  • Hi Andriy Mahats

    Thanks a lot for your reply! I reran my tests, 1. and 3. now work as expected. Thanks!

    For 2., I was assuming it wasn't supported, but I wanted to check, in case we implemented the specs differently :)

    Thanks again and best regards,

    Felix

    Like
Like
  • Status Answered
  • 5 yrs agoLast active
  • 2Replies closed
  • 154Views
  • 3 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains