search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.41k stars 4.98k forks source link

Revoke fails for certificate made from CSR #1344

Open VA1DER opened 6 years ago

VA1DER commented 6 years ago

When a certificate is made using an existing CSR, there is no domain key in the directory and no way on the command line to specify a domain key. There is, therefore, no built in way to revoke the certificate.

If the domain key is copied manually to the directory, revoking creates the following error:

$ acme.sh --revoke -d va1der.ca
[Sat Mar 10 23:46:41 AST 2018] Try domain key first.
[Sat Mar 10 23:46:42 AST 2018] Revoke error by domain key.
[Sat Mar 10 23:46:42 AST 2018] {"type":"urn:acme:error:malformed","detail":"Unable to parse revoke certificate DER","status": 400}
[Sat Mar 10 23:46:42 AST 2018] Try account key.
[Sat Mar 10 23:46:42 AST 2018] Only RSA or EC key is supported.

Both the account and domain keys are existing RSA 4096 bit keys in PEM format. The account key functioned as expected when the CSR was signed with acme.sh in standalone mode.

Neilpang commented 6 years ago

can you please give debug log:

acme.sh --revoke -d va1der.ca  --debug 2
VA1DER commented 6 years ago

Debug output attached: revoke_log.txt