Revoking certificate fails when using different account than originally creating the certificate

[bruncsak]

I created a certificate with account A, but revoking the certificate with account B fails with the following error: { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "The certificate being revoked is not associated with account \"1\"", "status": 403 } (Of course, before trying to revoke all required identifiers are authorized in the account B) I interpret the RFC8555 that using different account should be a permitted way to revoke a certificate. Is my interpretation incorrect?

[alexzorin]

Reading RFC8555 there are two cases where Account B can revoke a certificate created by Account A:

1. Account B is authorized for all of the identifiers in the certificate, or
2. Account B submits a revocation request with the JWS signed by the private key of the certificate

Pebble implements (2) and I'm able to successfully revoke that method using

certbot unregister -n
certbot revoke --cert-path /etc/letsencrypt/live/revoke.example.com/cert.pem \
               --key-path /etc/letsencrypt/live/revoke.example.com/privkey.pem -n

What you're hitting, I think, is that Pebble does not implement (1):

https://github.com/letsencrypt/pebble/blob/087582e3011931db2692db14320b236e8cf9b491/wfe/wfe.go#L2561-L2565