Certificate revoked error

Are we having this issue again -- [Revocation Issues with CRL for R3 (was: r3.o.lencr.org) - #10 by dalgibbard](https://Revocation issues with CRL for R3)

I have my "snap install" commands failing on Ubuntu boxes. They fail connecting to the site https://canonical-lcy01.cdn.snapcraftcontent.com

While some clients are fine (Edge on Win10) by Firefox on Win10 gives a certficate revoked error and SSLLabs gives a grade F saying it is revoked by r3.o.lencr.org

1 Like

Hi @paulraines68 and welcome to the LE community forum!

The issue you linked was with OCSP responses not being available/the CRL being unavailable or expired.

The specific error you're seeing about https://canonical-lcy01.cdn.snapcraftcontent.com is not related to any of that, but the site's certificate is actually revoked.

As for why it's revoked (or why it's still serving a revoked certificate), well I can't answer that. But it is definetly something the site operator has to fix (the certificate was revoked about 3 weeks ago).

[Another interesting find: There is a new certificate for that domain, here, issued by DigiCert, but it is apparently not served by the server(s). The site operator may have intended to replace the LE certificate with this one, but failed to do so]

4 Likes

Okay, thanks

3 Likes

It is? crt.sh disagrees: crt.sh | 5272338295 OCSP is "good", CRLs say "Not revoked"? Manual OCSP also says "Good". Or do I not understand your post correctly?

Or did they change the certificate in the last few hours? That's sneaky! https://crt.sh/?id=5058682248&opt=ocsp is revoked indeed.

4 Likes

Yes, when I wrote that post, this was the certificate being served. The DigiCert-cert already existed, but wasn't send by the server.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.