Apple not reading new certificate after previous Certificate Revoked

I moved a client over to my own AWS instance from another AWS instance - so revoked the SSL cert on that instance and reissued it on my one. But the site is now claiming that the certificate us untrusted - working on some devices and not on others - ie Apple and some browsers. It is showing as certificate valid on android chrome.

My domain is:https://www.hello-chef.co.za/

I ran this command: sudo certbot certonly --agree-tos --email info@hello-chef.co.za --webroot -w /var/lib/letsencrypt/ -d hello-chef.co.za -d www.hello-chef.co.za

It produced this output: Would you like to renew or keep the same certificate? I said option 2 for renew.

WhatsApp Image 2020-08-03 at 12.30.34777×700 102 KB

My web server is (include version): https://www.hello-chef.co.za/

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: AWS EC2 EU -Ireland

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No - SSH or AWS console

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

How do I get around this? Previous users cannot access the site at all. Only some new users can.

Hi @umvahed

why? Revoking is wrong if the private key isn't stolen. Please stop that.

Then the result is expected. certonly doesn't install the certificate, so you use the old certificate. And Chrome doesn't complain if a certificate is revoked.

Checked your domain via https://check-your-website.server-daten.de/?q=hello-chef.co.za#certificates - yep, there is the revoked certificate used:

	CN=hello-chef.co.za
	26.06.2020
	24.09.2020
expires in 51 days	hello-chef.co.za, www.hello-chef.co.za - 2 entries
...
Revoked: The certificate is revoked.

Install one of the new created certificates, you have two:

Then restart your server.

PS: Terrible. Sslshopper doesn't check if the certificate is revoked. There is the 51-days certificate shown - valid. No, it's not valid, it's revoked.

Common name: hello-chef.co.za
SANs: hello-chef.co.za, www.hello-chef.co.za
Valid from June 26, 2020 to September 24, 2020
Serial Number: 034cb5c7150d1d059856df85adc66cd0bab3
Signature Algorithm: sha256WithRSAEncryption
Issuer: Let's Encrypt Authority X3

Thanks JuergenAuer,

How do I do that on Ubuntu? Is there any specific commands to remove one of them and keep the other?

First timer here - sorry.

Why do you use certonly? Let Certbot install the certificate.

It's not a question of your OS, it's a question of your working or not working webserver configuration.

You can see what certificates you currently have with:

sudo certbot certificates

Your Apache configuration will have been configured with SSLCertificateFile and SSLCertificateKeyFile which correspond to the Certificate Path and Private Key Path that appear in the list, respectively.

You can update your Apache configuration to use the certificate that you want to use.

You need to make sure that you reload Apache after a certificate is renewed or replace, or else Apache won’t read it.

You can also ask Certbot to do that configuration and reload for you:

sudo certbot install --apache --cert-name <name from the list>

If @umvahed is the proper owner of the hostname and he/she can't be sure the private key on the previous AWS instance (which sounds like some kind of shared instance looking at the specific mentioning of "my own instance" for the new AWS instance) won't be misused, I think it's a good practice to revoke the previous certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.