v2.8.0 changed its behavior when certs are revoked.
My Pebble integration test:
- creates a certificate
- downloads the certificate
- revokes the certificate
- tries to download it again (expecting an error)
- tries to revoke it again (expecting an error)
Before v2.8.0 the integration tests worked like that.
Starting with v2.8.0, after revocation of a certificate, it can still be downloaded and revoked again.
Is this change intentional, or is it a regression?
Integration test log extract from acme4j follows.
Revocation is successful:
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - POST https://localhost:14000/revoke-cert
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - Payload: {"certificate":"MIIDGzCCAgOgAwIBAgIIaedob34qfKAwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxNDMwZDQwHhcNMjUwNjA3MTY0OTQyWhcNMjUwNjI3MTY0OTQyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArpUKxElX6BvMS4r5B-_DxOK0RbhzGo7baXTdzC2-GcZ_KVg3wEDJocm49YGE5Wr0AWSGxA_NjjiU8nvE7PlEDI_aGlueOxsfJDcepsyi8pen_Y1YpvKh0hdc1FHCQ-5HvaIyJQce2ylbZed_w15TWYhHxhgbWOmkzfkC3o5jDfSeV2SUuearxVWqptbtFT79sVkPWwZodoMfTWvfa2pzoQzipabifFzhvO-HVIcy0kzFhMJ9O2kcuzH481ARLkirAQJn7-Mo5PPc5UG9FfU4RKMwGsetNKQXu9l-KjovXDFl0o0pbKfeHuSacLjp7AK-FioMTs-XOp9m0xRdQFBE3QIDAQABo3EwbzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH_BAIwADAfBgNVHSMEGDAWgBTvUTK3kksXLgaDDvIXspGDRCfYljAZBgNVHREBAf8EDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAFqRhtupYLPvOX8y4J1rzq73lOUYeKOc9zT0qS1h6NRiRJYyqtQkIoODsFLbSgc6Q-QdGybodwN1guArFII0GoDEtAIruvCQ14Z4927UV1CPFRhMj5AJgP3ZxzwBClLF04o54IENCXiPk5FcVsvrUrfN4Bqy8Pwaustt5ubE2yahS7Pw7oqMgkjxgUbMzVGlE0Pi4HtuqE_yQlybbjffC6RyN3xaH8v4M3XE2bOW_UiLr3QuGUBJydF2vKWJHAW8bUOkXCAm0Y4BY0lFnHa0RbQYK5MMC4AEcRhpY0h1bx2eI0LERBmSr0g6aJ_LdNhgoxVTEvGCl4aoEMAag3l9-yg","reason":1}
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - JWS Header: {"url":"https://localhost:14000/revoke-cert","kid":"https://localhost:14000/my-account/236345b57ff15271","nonce":"yPyXXMBNaT0hVKrqQ8LKNg","alg":"RS256"}
[main] DEBUG org.shredzone.acme4j.connector.DefaultConnection - HEADER :status: 200
Download after revocation is successful (expected HTTP 404):
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - POST-as-GET https://localhost:14000/certZ/69e7686f7e2a7ca0
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - JWS Header: {"url":"https://localhost:14000/certZ/69e7686f7e2a7ca0","kid":"https://localhost:14000/my-account/236345b57ff15271","nonce":"D9ZxxOZvK26vq7N66uqgAg","alg":"RS256"}
[main] DEBUG org.shredzone.acme4j.connector.DefaultConnection - HEADER :status: 200
Second revocation is successful (expected ACME problem "already revoked"):
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - POST https://localhost:14000/revoke-cert
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - Payload: {"certificate":"MIIDGzCCAgOgAwIBAgIIaedob34qfKAwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAxNDMwZDQwHhcNMjUwNjA3MTY0OTQyWhcNMjUwNjI3MTY0OTQyWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArpUKxElX6BvMS4r5B-_DxOK0RbhzGo7baXTdzC2-GcZ_KVg3wEDJocm49YGE5Wr0AWSGxA_NjjiU8nvE7PlEDI_aGlueOxsfJDcepsyi8pen_Y1YpvKh0hdc1FHCQ-5HvaIyJQce2ylbZed_w15TWYhHxhgbWOmkzfkC3o5jDfSeV2SUuearxVWqptbtFT79sVkPWwZodoMfTWvfa2pzoQzipabifFzhvO-HVIcy0kzFhMJ9O2kcuzH481ARLkirAQJn7-Mo5PPc5UG9FfU4RKMwGsetNKQXu9l-KjovXDFl0o0pbKfeHuSacLjp7AK-FioMTs-XOp9m0xRdQFBE3QIDAQABo3EwbzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH_BAIwADAfBgNVHSMEGDAWgBTvUTK3kksXLgaDDvIXspGDRCfYljAZBgNVHREBAf8EDzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAFqRhtupYLPvOX8y4J1rzq73lOUYeKOc9zT0qS1h6NRiRJYyqtQkIoODsFLbSgc6Q-QdGybodwN1guArFII0GoDEtAIruvCQ14Z4927UV1CPFRhMj5AJgP3ZxzwBClLF04o54IENCXiPk5FcVsvrUrfN4Bqy8Pwaustt5ubE2yahS7Pw7oqMgkjxgUbMzVGlE0Pi4HtuqE_yQlybbjffC6RyN3xaH8v4M3XE2bOW_UiLr3QuGUBJydF2vKWJHAW8bUOkXCAm0Y4BY0lFnHa0RbQYK5MMC4AEcRhpY0h1bx2eI0LERBmSr0g6aJ_LdNhgoxVTEvGCl4aoEMAag3l9-yg"}
[main] DEBUG org.shredzone.acme4j.toolbox.JoseUtils - JWS Header: {"url":"https://localhost:14000/revoke-cert","kid":"https://localhost:14000/my-account/236345b57ff15271","nonce":"xqIlm1oyAYskARYmU6__QA","alg":"RS256"}
[main] DEBUG org.shredzone.acme4j.connector.DefaultConnection - HEADER :status: 200
v2.8.0 changed its behavior when certs are revoked.
My Pebble integration test:
Before v2.8.0 the integration tests worked like that.
Starting with v2.8.0, after revocation of a certificate, it can still be downloaded and revoked again.
Is this change intentional, or is it a regression?
Integration test log extract from acme4j follows.
Revocation is successful:
Download after revocation is successful (expected HTTP 404):
Second revocation is successful (expected ACME problem "already revoked"):