API: Get Payload for revocation as byte[]

[FalkoFlessner]

Hi,

would it be feasible to implement a method that returns the payload of a revocation request (maybe plus the URL)? Goal is to have a pre-crafted revocation request available in case of an emergency if the server is down and the backup of the key is unavailable.

(Just let me know if I missed something fundamental, but as far as I can see it, the payload revocation request can be generated and be used later if necessary).

Kind regards,

Falko

[ldez]

Hi,

Technically, I do not think that request signatures are timestamped, so it can be possible (by RFC I mean)

But lego doesn't expose raw calls to the API: the internal design is not made to "play" or "replay" a raw request.

Without the key, it will not be possible to use the API of lego.

I think it's better to improve the backup of your key to ensure to have an available copy.

[FalkoFlessner]

Just to provide a little context: The intended use is for bigger installations at sites that probably have some bureaucracy-driven requirements on how to store the key pair and to store the revocation information $somewhere_else. So, "improve the backup", despite being always a good idea, is unfortunately no option here.

[ldez]

I understand but lego is not a raw HTTP request recorder/player: lego is not made to do that (the key is on the API client, not a method parameter, and the internal client cannot be exposed due to requirements to other elements).

But technically you can do it with lego by using a custom HTTP client or the fake ACME server to record the request body and replay it by using a simple HTTP client.

Also, I have some doubts about the reality of dumping a request and replaying it, because the signature system uses a "fresh anti-replay nonce" shared with the server https://www.rfc-editor.org/rfc/rfc8555.html#section-7.2

[FalkoFlessner]

Okay, it's the nonce proves my idea to be crap, I wasn't aware of that. Thank you so much for your help & thougts!