Every new certificate is revoked

My domain is: noxillio.dev

I ran this command:

It produced this output:

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2022

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme v2.1.21.1218

I was trying to learn how to attach a LE certificate to Remote Desktop. It took a while, but I figured out how - but now it appears that while certificates appear to be created successfully, when in actual use they show as being revoked. For instance, trying to connect to my domain from a web browser (even though this is literally a brand-new certificate) shows it as being revoked. Am I just being rate limited?


No, the cert is really revoked and LE does not use revocation as rate limiting. See e.g. crt.sh | 6673400280 (it shows "Status: revoked" in the table.)

Why this happens is unknown to me. It would be weird for your client to revoke the cert immediately, but perhaps there's software searching for issuance for your domain and revoking it when it finds a cert it doesn't know? This software would have to have access to either the private key of the account which has issued the cert(s) or have access to the domain so it could validate an authorization on its own.


I'm unsure what this would be or why this would happen as the only things I have installed on this particular server are roles and features. RD Gateway, for instance. Really the only big things I'm using are IIS, Active Directory, and RDS.

I could wipe the server and try again (would only take like half an hour) but this time I'll pay close attention to the site and see when exactly the cert gets revoked so as to have a clearer picture of what exactly is going on.

I should also mention I have Windows Admin Center installed and running with its own cert but again I've no idea why that would be doing anything weird with IIS sites and LE certs.

Not Before: May  6 02:47:01 2022 GMT

Revocation Date 2022-05-06  04:52:24 UTC

That's... fast. 3:47 it's issued, 4:52 it's revoked. One hour five minutes.


It took that long? Strange because I'm seeing it revoked immediately. As in I have the cert issued and then I immediately try to navigate to the site, and it comes back as revoked.

1 Like

I only checked the certificate linked above, not all of them.


If that's the latest certificate, then yes, I'm talking about that one too. It's been happening to every single one I make since yesterday.

Wouldn't this be the latest one? crt.sh | 6673724925

1 Like

Check if it does the same with the staging environment.


This doesn't make sense.

2022-05-06  04:52:24 UTC

That's 15 minutes in the future! -- no, I am an idiot. It's 12 hours ago.


12 hours ago? But I only made that certificate right before I made this thread .-.
Let me figure out how to get win-acme to use staging and give your suggestion a shot.

Made the staging cert and bound it to the site in IIS. Browser doesn't show it as revoked but of course it isn't valid either. What now?

1 Like


This one is good: crt.sh | 6652803197 (Issued May 3rd)

So is this: crt.sh | 6639635850 (May 1st)

April 29th is revoked, and after that crt.sh started getting errors from the ocsp responder. (of course. I was querying expired certificates)


Those two might be certs I didn't manually revoke (last ones made before reinstallations of the OS)

Also, I'm not sure what OCSP means >_<

1 Like

LE sets the notBefore date one hour in the past on issuance for misconfigured clocks.

Although @9peppe already accounted for that and it doesn't make up for 12 hours of difference :stuck_out_tongue:


One of the things I don't understand about this is that I can also renew the certificate without any issues. Also, I just rebound it to the site again (so took the staging one off) and it still says revoked.

1 Like

Revoking a certificate has no bearing (outside of rate limits) on your ability to get new certificate with the same set of names (which is all a renewal is). They are independent entities.

  • have you every knowingly revoked one of your certs? It's not standard practice and it's not something you should normally do.
  • how are you applying the certs to your services? You need to match latest cert thumbprint, not name (or subject), otherwise you could be matching to an old revoked cert you have in your store.

Also checkout https://certifytheweb.com (which I develop) because it could probably have helped you get all this setup with less hassle. Certainly IIS would be easy (just make sure you have an existing http hostname binding in IIS and remove any https bindings you may have configured without SNI). You can script AD and RD Gateway see Scripting | Certify The Web Docs and there are a couple of simple built-in deployment tasks that are useful for basic scenarios. Likewise, win-acme can also be configured to do these sorts of things via the command line or editing config files etc. I assume you have a test system you can play around with for all this and I'd recommend doing that to gain familiarity and trying out different scripts etc.


Yes, as I believe I mentioned here a couple times I manually revoked a bunch of my certs during testing because I'm uneducated of the typical/standard practices. All I really know is why I need a cert and that I dislike not having one.

I started by deleting the certificate from the store, which on its own unbinds it from the service. I then revoked it and removed the renewal task using win-acme, then obtained a new certificate using it, which resulted in it being automatically bound (as expected) to the service again. I'm unsure why all of a sudden my certificates are all being revoked. I just got on today to see that the certificate Windows Admin Center uses (self-signed, generated by its installation wizard) was revoked as well.

My new plan is to just wipe the server again (there's nothing sensitive/essential on it right now as I was just trying to put together a setup that works perfectly for my needs and is satisfying to use) and use this instead of win-acme.

I discovered how to give RD a certificate via its own management tool, and I'm not sure if this is what the issue has been, but I had been importing the certificate I generated for IIS and simply using that to try and secure RD Gateway. If you're able to enlighten me further I'd appreciate it.

On a slightly unrelated note, to sum up what I'm trying to accomplish, I use my VPS (the server in question here) to host my Discord bots and mail server (I use hMailServer for this), and I am trying to move away completely from my web hosting provider (I started using it for email hosting before I discovered how to accomplish it on a Windows machine) as it is extra money I do not need to be paying per month when I can accomplish everything it does from my VPS instead.

No, I just searched the thread (twice) and did not see you mention it. You often said you saw it revoked but never described revoking it.

Do you remember what method you used to revoke it? Because it gets complicated. See this thread for an explanation

My suggestion is to use a new account and private key to issue a new cert. If that gets revoked then it clearly is something wrong in your ACME client.

But, my interpretation of the linked thread is that when revoking if you provided your Private Key and gave reason as KeyCompromised then you cannot use that Private Key any more. Caveat: I am not an expert in revocation.


I thought that this would have sufficiently implied it.

I used win-acme's own built-in function for it. It's just a choice in the menu. That's all I know.

1 Like

I stand corrected. In post #12 you did imply some revocations

I don't know win-acme well enough to know what kind of revocation it does internally. You could try asking at win-acme support (github or pro) about this.

Or, try my suggestion of using a new account key and private key and see if that cert gets revoked. This seems a plausible solution and more likely related to the underlying cause than your acme client immediately revoking certs.