Net::err_cert_revoked

Hello community,

My domain is: pourboir.com

My Let's Encrypt certificate expired, and I can't access the website anymore. I tried reinstalling it and then running certbot, but none fixed the issue.

It produced this output: Net::err_cert_revoked issue

My hosting provider, if applicable, is: lightsails from aws

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

How did you reinstall the certificate?

3 Likes

I first followed the steps from here --> Install SSL which I always do every 90 days.
And then I ran certbot on top of that.

But I had the error before trying to update the certificate

Ugh, Bitnami.. I ain't touching that stuff, sorry. It's just terrible.. It makes me cry a little bit just to see that kind of how-to.. Just.. No words.. How terrible it is..

Maybe you just need to restart the webserver, I dunno..

That's probably because your certificate was previously issued with a different client than Certbot and used the tls-alpn-01 and was revoked recently due to an issue with the tls-alpn-01 challenge.

3 Likes

:smiling_face_with_tear: I see ...

Yeah, sorry. Bitnami is just unnecessarily complicated.. And the guide you're using has many, MANY steps and different options to choose from, depending on the situation.

Such a guide goes against everything Let's Encrypt tries to stand for, which includes automation. And that guide is, well, NOT automated at all.

It also lets you get a wildcard certificate, but do you really require a wildcard? That mandates the DNS challenge, which makes it harder to automate.. Without a wildcard, automation would probably be feasable.

Anyway, I can see you have two perfectly fine certificates issued today: crt.sh | pourboir.com

You should make sure one of those newly issued certificates is loaded by your webserver, which seems to be handled by that "Really Simple SSL Plugin".. Maybe it wasn't that simple? Maybe it is? I dunno..

3 Likes

It was that simple for the past year.... But it somehow stopped working alone all of a sudden without me touching anything ...
it's super annoying, thanks for your help, I will try to figure it out, it seems there is an error with apache 2

1 Like

You can read more about the incident I mentioned earlier here:

Although I find it strange that your certificate would be affected. Certbot doesn't support the tls-alpn-01 challenge. Or did you use a different ACME client for the certificate which is now revoked?

3 Likes

I will check it out - thanks

1 Like

It seems that you successfully renewed your certificate. You should use that on your site to prevent client errors. crt.sh | pourboir.com

If you have used other bitnami guides then it's possible you used the TLS-ALPN-01 challenge. For example bncert recommends using the lego client and the --tls option which does the TLS-ALPN-01 challenge. If you want to root cause why you were affected, start by looking through your history and logs and see what client and challenge they show for the issuance of the affected certificate.

Keep in mind that affected certificates have at least one name that was validated with the TLS-ALPN-01 challenge. It's possible that you issued a certificate validated by the TLS-ALPN-01 challenge for a.example.com then switched clients and used the DNS-01 challenge to create a certificate for a.example.com and b.example.com. But if the authorization for a.example.com was still valid from the TLS-ALPN-01 challenge then you would not need to complete a DNS-01 challenge for that name because Let's Encrypt has authorization reuse and authorization lifetimes.

5 Likes

It's not, it's just a single tutorial from aws that breaks everything by telling bitnami users (who already have an acme client, lego) to install certbot as well.

I fault google for putting aws docs before bitnami docs when looking for the latter.

1 Like

Forget that tutorial.

Follow this: Learn about the Bitnami HTTPS Configuration Tool and this: Enabling HTTPS on your WordPress instance in Amazon Lightsail | Lightsail Documentation

4 Likes

Those guides do look better indeed :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.