Change default revocation method to account key for LetsEncrypt

[fabieu]

Steps to reproduce

acme.sh --issue --server letsencrypt -d debug.example.com
acme.sh --revoke -d debug.example.com

Since 21.09.2022 all Let's Encrypt requests for revocation which are authenticated using the private key of the certificate itself will result in the certificate being revoked with reason "keyCompromise". This also results in a "Let's Encrypt certificate revocation notice" being sent to the account holder.
Currently acme.sh uses domain key revocation first and will fallback to account key revocation, if the request is not successfull. Let's Encyrpt will accept the the domain key revocation, but will always flag the revocation as compromised. This is not an expected behaviour, when revoking the certificate with --revoke-reason other than 1.

Reference: https://community.letsencrypt.org/t/upcoming-changes-to-revocation-reasons/182953

All requests for revocation which are authenticated using the private key of the certificate itself will result in the certificate being revoked with reason "keyCompromise", regardless of the requested reason.
This is because use of the certificate private key for the purpose of authenticating an ACME API revocation request counts as a "demonstration of compromise", and the new requirements state that the CA MUST use reason "keyCompromise" when they "obtain verifiable evidence that the certificate subscriber’s private key... suffered a key compromise".

Proposed change:
Use account key revocation first and fallback to domain key revocation if this fails (maybe only for Let's Encrypt?)

[Neilpang]

fixed, try again.

acme.sh --upgrade -b dev

[fabieu]

Looks good to me 👍🏻
Maybe we should add "Revoke error by account key." to the error output now. (f66a29d)

[fabieu]

Is there a foreseeable timeframe when this fix will be implemented in the stable branch?

[Neilpang]

done