Certificate says revoked in FF and Mobile, but fine on others

My domain is: https://www.flat-bags.com

The certificate shows as valid in all external checks

But when I try to load on Firefox on Mac I get:
This website does not supply ownership information.

on iPhone mobile, in multiple phones/locations in Chrome I get:
NET:ERR_CERT_REVOKED

It is hosted on lightsail, in a bitnami ubuntu wordpress apache stack

I can login to a root shell on my machine: YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Bitnami HTTPS Configuration Tool 1.1.1 --- Built on 2023-03-01 12:34:08 IB: 23.1.0-202301121337

I tried renewing the certificate using the bncert tool, but did not see any change. Can someone please give me some insight as to why this would be happening and possible path to resolution?

I am semi-knowledgable about SSL, but very adept at sysops/devops/web dev, please be as technical as possible in your suggestions

Your certificate is definitely revoked. Here is more confirmation (SSL Checker link)

Not all browsers check the OCSP response which explains the variance

I am not expert at bncert but I would have thought it would check the OCSP response, see it's revoked, and renew it. But, you may have to do a one-time force renewal.

Below page has a topic about resetting certs which might work.
https://docs.bitnami.com/aws/how-to/understand-bncert/#certificates-not-renewed-automatically

7 Likes

the real problem is, why it is revoked?
it isn't marked keycompromise, so it was triggered by acme account it sigend or someone else confirming control of domains it valid for: but you'd aware of it if you did that.
and renewal record in crt.sh looks weird, 2023-02-12 to 2023-05-13 is wildcard, but current revoked one just covers base and www subdomain.

6 Likes

Hi @MikeMcQ - thanks for the confirmation link and the suggestion.

as was mentioned inthe seco d comment, I still have no idea why it was revoked, and why renewing it with the bncert tool does nothing even though it says it was renewed.

I wanted the bncert tool to automatically renew every couple months as it creates a cron job to do so. I am not clear how to retain that auto-renewal when using the steps provided in your link, as it shows a different process than I used.

Do you or anyone else have some further insight here, please?

How can I tell the reason why it was revoked?
How can I re-use the bncert tool so the domain will auto-renew?

1 Like

What process did you use? Here is the AWS docs for Lightsail / Bitnami / Wordpress for bncert
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-enabling-https-on-wordpress

We see a wildcard cert and a non-wildcard in your history. bncert only supports non-wildcard so you must have used different processes at different times. One set of AWS docs has you use certbot in manual mode to get a wildcard cert. Did you do that before?

Did you try resetting the cert per the bncert docs?

4 Likes

Well, I'm pretty sure it happened on that system which has your ACME account key. If it were signed by the certificate private key, Let's Encrypt should have marked the revoke reason as keyCompromise. If it were signed by a different ACME account which had also demonstrated ownership over your domain name, then Let's Encrypt should have marked it as cessationOfOperation. Since it's neither of those (it looks to not have a reason at all), then that means that it was from the same account key as had issued the certificate in the first place.

So I'd suggest looking through logs on that machine to see if you can figure out what might have been running on 2023-07-12 at 14:05:30 UTC when it got revoked.

5 Likes

Hi @MikeMcQ - Yes, that is the process I used.

"We see a wildcard cert and a non-wildcard in your history."

I moved the site to AWS in July 2022, I renewed it twice manually, then in February 2023 I renewed using the process provided by the AWS docs you linked to. In May, it expired even though the bncert tool was supposed to auto renew it. So, I renewed it again in May using the same process.

Now, two months later, it says revoked but with no reason.

I am trying to understand what @petercooperjr is trying to convey to me, but the jargon is hard to follow as I am completely new at this process. Is he saying that my server was hacked, or ????

I chose lightsail/bncert method because it looked like a set-it-and-forget-it process. Doesn't seem to be that.

Are there any bncert technicians in this forum who could give some greater visibility on what their tool is doing, and how it may have failed here?

I'm reviewing this article now to see that all is configured ok:

https://docs.bitnami.com/aws/how-to/understand-bncert/#certificates-not-renewed-automatically

We are not a general bncert support forum. And, we don't see many problems with it here. Usually we see problems because people use that outdated Certbot doc from AWS and once they use bncert it works.

Again, though, did you try the "reset" section from that link I provided earlier?

Resetting The Certificates

In case the certificate generation process fails and/or you wish to reset the certificates for any reson, follow the steps below:

As for revocation, could you have gotten this prompt and said "yes" some time back?

  • If an existing certificate already exists, but it is associated to different domains, you will be asked if it should be revoked and a new certificate be generated with Let’s Encrypt.

From:
https://docs.bitnami.com/aws/how-to/understand-bncert/

5 Likes

Hi @MikeMcQ - Thanks for the excellent tips.

It seems that there was a problem with the auto-renewal, indeed. I am still unsure why, as I went through the troubleshooting steps and there were no apparent issues to be addressed.

I had tried to do the steps previously re: resetting the certificates, and doing so completely disabled the site, and caused APache to not be able to restart, so that was when I restored the settings in the conf file and posted here.

Today, when I tried the same steps, I only went so far as to remove the cron job entry. Then, I tried re-running the bncert tool, and IT WORKED! (not sure why it did not before, but today, it did)

So, the immediate problem resolved, I am still concerned that the same thing will happen in two months when the cron job tries to auto-renew again. Are you aware of any process to test that the auto-renewal is indeed working via cron? Here is the cron entry:

7 22 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="[redacted]" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=www.flat-bags.com --user-agent bitnami-bncert/1.1.1 renew && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful # bncert-autorenew

Can you please help me understand how would I modify it so that:

  1. I can run it immediately to test it, without affecting the renewal in 2 months from now
  2. If it fails, it actually lets me know by email which did not happen before
1 Like

You could try adding the 'days' option on the cron job to trick the renew to doing one early. Be sure to remove that after your test or you'd get rate limited by Let's Encrypt.

See:
https://go-acme.github.io/lego/usage/cli/renew-a-certificate/

You can check the cert used by your server with a site like this

And, you can review your system logs to verify the cron job ran and possible output. I don't know where that is in bitnami but I'm sure their forum or docs would say if you don't know.

As for reporting errors, I'm not sure how bncert (lego) handles output. The Let's Encrypt system sends (w/just best efforts) an email to you 20 days before expiry and again at 7 days before warning you of possible trouble (link here).

Your best option though if you can't get immediate results from the cron renewal failure is to use a monitoring system to check your certs daily. This confirms more than just cert renewal in that it also ensures your server is using it properly. There are many such monitoring services.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.