getssl
getssl copied to clipboard
srvrco
Cannot revoke certificate due to "Certificate from unrecognized issuer"
Describe the bug I requested a certificate using the following domain configuration:
# cat .getssl/sub.domain.com/getssl.cfg | grep -v "^#" | grep .
ACL=('/usr/share/www/.well-known/acme-challenge')
PREFERRED_CHAIN="ISRG Root X1"
#
It created a certificate with the incorrect chain (STAGING), instead of PRODUCTION:
# openssl x509 -in .getssl/sub.domain.com/sub.domain.com -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fa:6a:40:98:43:a4:6f:e3:15:2a:ea:1d:35:a3:24:a0:2a:b2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3
Validity
Not Before: Dec 16 07:38:45 2021 GMT
Not After : Mar 16 07:38:44 2022 GMT
So I tried to revoke the certificate, but it fails:
# ./getssl -r .getssl/sub.domain.com/sub.domain.com.crt .getssl/sub.domain.com/sub.domain.com.key
getssl: ACME server returned error: 404: "detail": "Certificate from unrecognized issuer",
#
To Reproduce See above
Expected behavior Revoked certificate.
Operating system (please complete the following information):
- OS: CentOS Linux release 7.9.2009 (Core)
- Bash Version: bash-4.2.46-35.el7_9.x86_64
Additional context Add any other context about the problem here.
@polatsinan You have requested a certificate from the staging CA. Staging is only for testing so you do not run into rate limits.
You need to change your CA variable in getssl.cfg to the production CA and re-run getssl. You can add that to your cfg for your subdomain or you will find it in the getssl.cfg in getssl install folder.
# The staging server is best for testing
#CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v02.api.letsencrypt.org"
Also, you should not revoke certificates except if they become compromised. That does not fix routine problems anyway and burdens the CA infrastructure with useless requests. A 'revoke' adds info to the cert and infrastructure - it does not 'remove' it.
@polatsinan the --revoke option doesn't use the config file and uses the production LetsEncrypt server unless you specify otherwise.
I'll add some code to detect if the certificate has been issued by the testing server and use that to revoke if it has.
@polatsinan the
--revokeoption doesn't use the config file and uses the production LetsEncrypt server unless you specify otherwise.
Why doesn't it read the config file? It was rather confusing when I set the DEFAULT_REVOKE_CA in the config to Incommon and it was ignored. After looking through the code, I see I can explicitly specify a CA URL in the revoke command, but why list a config setting in the default file when it ignores it when you change it? I'd rather not have to specify the revoke URL every time, it would be nice for the setting to be honored.
Is there any reason the sections labeled
Test working directory candidates if unset. Last candidate defaults (~/getssl/)
if the "working directory" doesn't exist, then create it.
read any variables from config in working directory
couldn't be moved above the code that handles the revoke?
Thanks...
