Apple devices say certificate is revoked, windows ok

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: doc.intelair.com

I ran this command: no command, just upgraded hudu as far as I know

It produced this output: nothing

My web server is (include version):

The operating system my web server runs on is (include version): CentOS Linux 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): no

On windows devices there are no warnings!
But any Apple device, I can't even log in, it blocks me.
"You cannot visit doc.intelair.com right now because its certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later."

I wanted to renew the cert to see if it helped but since it's not expiring it won't let me.
Do you see anything wring with our cert? Thanks!

If I try to renew the cert I get this:
[root@documentation hudu2]# docker exec -it letsencrypt /app/le-renew.sh

<------------------------------------------------->

<------------------------------------------------->

cronjob running on Mon Aug 8 16:07:57 UTC 2022

Running certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/doc.intelair.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:

/etc/letsencrypt/live/doc.intelair.com/fullchain.pem expires on 2022-09-26 (skipped)

No renewals were attempted.

No hooks were run.


Apple is correct, your certificate for doc.intelair.com with serial 04:b1:f4:ee:69:0d:aa:28:d0:94:b0:6d:63:88:0c:38:c6:bd is indeed revoked. See crt.sh | 7020161090 where you can see the OCSP response in the second table.

You've already renewed your certificate looking at the history for your hostname: crt.sh | doc.intelair.com

See: crt.sh | 7254943039

I have absolutely NO idea what kind of Docker stuff you're running, but please make sure your webserver is using the most recently issued cert by Certbot, assuming that most recent certificate is the one issued just 6 days ago.

4 Likes

Oh wow ok no idea how it got revoked ... is there a way to fix it?

There is no "undo" to the revoke status.
Just use the newer cert.

5 Likes

Sorry I am covering for my colleague and no idea what happened ...
He seems to use docker to renew and the version is linuxserver/letsencrypt:1.2.0-ls95

He does the command docker exec -it letsencrypt /app/le-renew.sh
to renew.

What do you suggest I do? Find a way to delete and redo a cert?
Sorry for being such a newbie!!

No, there should be a perfectly fine, recently issued certificate present. Usually one would run the command sudo certbot certificates to view all certificates stored in Certbot, but I have absolutely no idea how to even begin to explain how to do that when using such relatively "custom" setups.

Also note that the Docker image you seem to be using is deprecated: Docker Hub

Find out how Certbot is being run (e.g. by looking at the source code for the image linuxserver/letsencrypt), check if Certbot has the most recently issued cert (August 2nd) available, check if the webserver is properly configured to use that certificate and perhaps reload the webserver if that hasn't been done already.

Looking at the revocation date and time (2022-08-02 22:15:04 UTC) of the old cert and the issuance date of time (22-08-02 22:18:34 UTC) of the new cert, the revocation was done when the new one was being issued. No idea if this was a manual step or automatically by a poorly written script.

5 Likes

What Osiris means by this: you should only revoke a certificate if a key has been compromised. You should NOT revoke a certificate when a new one is issued. You also should not delete a certificate when it is replaced by a newer one, because it can be used as a fallback until it expires.

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.