Revoking certificate fails when using different account than originally creating the certificate

[bruncsak]

I created a certificate with account A, but revoking the certificate with account B fails with the following error:
{
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "The certificate being revoked is not associated with account "1"",
"status": 403
}
(Of course, before trying to revoke all required identifiers are authorized in the account B)
I interpret the RFC8555 that using different account should be a permitted way to revoke a certificate.
Is my interpretation incorrect?

[alexzorin]

Reading RFC8555 there are two cases where Account B can revoke a certificate created by Account A:

1. Account B is authorized for all of the identifiers in the certificate, or
2. Account B submits a revocation request with the JWS signed by the private key of the certificate

Pebble implements (2) and I'm able to successfully revoke that method using

certbot unregister -n
certbot revoke --cert-path /etc/letsencrypt/live/revoke.example.com/cert.pem \
               --key-path /etc/letsencrypt/live/revoke.example.com/privkey.pem -n

What you're hitting, I think, is that Pebble does not implement (1):

pebble/wfe/wfe.go

Lines 2561 to 2565 in 087582e

	// RevokeCert revokes an ACME certificate.
	// It currently only implements one method of ACME revocation:
	// Signing the revocation request by signing it with the certificate
	// to be revoked's private key and embedding the certificate
	// to be revoked's public key as a JWK in the JWS.