func (r *reconcile) revokeCertificateInner(c *storage.Certificate) error {
if len(c.Certificates) == 0 {
return fmt.Errorf("no certificates in certificate to revoke: %v", c)
}
endCertificate := c.Certificates[0]
crt, err := x509.ParseCertificate(endCertificate)
if err != nil {
return err
}
// Get the endpoint which issued the certificate.
endpoint, err := acmeendpoints.CertificateToEndpoint(r.getGenericClient(), crt, context.TODO())
if err != nil {
return fmt.Errorf("could not map certificate %v to endpoint: %v", c, err)
}
// In order to revoke a certificate, one needs either the private key of the
// certificate, or the account key with authorizations for all names on the
// certificate. Try and find the private key first.
var client *acmeapi.Client
var revocationKey crypto.PrivateKey
if c.Key != nil {
revocationKey = c.Key.PrivateKey
client = r.getClientForDirectoryURL(endpoint.DirectoryURL)
}
if revocationKey == nil {
acct, err := r.getAccountByDirectoryURL(endpoint.DirectoryURL)
if err != nil {
return err
}
client = r.getClientForAccount(acct)
// If we have no private key for the certificate, obtain all necessary
// authorizations.
err = r.getRevocationAuthorizations(acct, crt)
if err != nil {
return err
}
}
return client.Revoke(endCertificate, revocationKey, context.TODO())
}
