Finding existing accounts (by key) and revocation
Hi,
while testing the Ansible ACME client, I found some things which might be of interest:
1. When trying to look up an account from its public key without specifying onlyReturnExisting:true (which is only available for ACME v2), one needs to specify a contact email and agree to the terms. Other implementations only give errors about that when the account does not exist (and would be created, but can't because that's missing). This makes it impossible to revoke a certificate via ACME v1 with the account key without knowing the account URI or the user's email address (or without risking creating an account).
2. I noticed that I cannot revoke certificates with their private key. I always get:
{
"code": 400,
"detail": "The key is unknown",
"details": "HTTP 400 Bad Request",
"message": "MALFORMED_BAD_REQUEST",
"type": "urn:ietf:params:acme:error:malformed"
}
3. When trying to revoke certificates with the account key via ACME v2, I get:
{
"code": 500,
"details": "HTTP 500 Internal Server Error",
"message": "INTERNAL_SERVER_ERROR"
}
(All my tests were with the staging API endpoint.)
Best regards,
Felix
-
Hi Felix Fontein
1. We improved our solution according to the suggested flow and this is available now in our test environment.
2. We do not support revocation requests that are signed with the key pair in the certificate at the moment.
3. The issue is resolved.
Regards,
Andriy
-
Hi Andriy Mahats
Thanks a lot for your reply! I reran my tests, 1. and 3. now work as expected. Thanks!
For 2., I was assuming it wasn't supported, but I wanted to check, in case we implemented the specs differently :)
Thanks again and best regards,
Felix
