func (r *reconcile) revokeCertificateInner(c *storage.Certificate) error { if len(c.Certificates) == 0 { return fmt.Errorf("no certificates in certificate to revoke: %v", c) } endCertificate := c.Certificates[0] crt, err := x509.ParseCertificate(endCertificate) if err != nil { return err } // Get the endpoint which issued the certificate. endpoint, err := acmeendpoints.CertificateToEndpoint(r.getGenericClient(), crt, context.TODO()) if err != nil { return fmt.Errorf("could not map certificate %v to endpoint: %v", c, err) } // In order to revoke a certificate, one needs either the private key of the // certificate, or the account key with authorizations for all names on the // certificate. Try and find the private key first. var client *acmeapi.Client var revocationKey crypto.PrivateKey if c.Key != nil { revocationKey = c.Key.PrivateKey client = r.getClientForDirectoryURL(endpoint.DirectoryURL) } if revocationKey == nil { acct, err := r.getAccountByDirectoryURL(endpoint.DirectoryURL) if err != nil { return err } client = r.getClientForAccount(acct) // If we have no private key for the certificate, obtain all necessary // authorizations. err = r.getRevocationAuthorizations(acct, crt) if err != nil { return err } } return client.Revoke(endCertificate, revocationKey, context.TODO()) }