Renewed cert but still hitting revoked cert in browser

My domain is: https://www.innovativeirrigation.ca/

Old cert was revoked by Let's Encrypt, so I revoked in Bitnami server, then renewed my cert no problem. But when browsing to domain it is still hitting the old cert - which has been revoked. I have restarted the apache server but makes no difference.

When browsing to site the cert is still showing old cert details, old expiry data and that is has been revoked

My web server is (include version): Apache/2.4.41 (Unix)

The operating system my web server runs on is (include version): Bitnami

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Any help would be greatly appreciated

Your cert looks good to me. (so far)
Good till March 22.
I am not getting any "revoked status"
May be OSCP. Ill check again later

4 Likes

It's strange, if you use Chrome, is still hits okay and a date of March 22nd - but showing revoked when you go to check if the cert is valid

But I cant hit it from Safari at all. Plus the March 22nd cert date is the old cert. My new cert has an expiry of May

I confirm your cert is revoked. See this site

Let's Encrypt recently revoked a number of certs that had been obtained using the TLS-ALPN challenge method. Does this apply to you?

Here is a thread explaining why

That said, you say you use Certbot but if you got your cert using that this cannot apply. Certbot does not support TLS-ALPN.

Could you have used the bitnami bncert tool instead?

5 Likes

Yes my was revoked by lets encrypt, I thought all I had to do was renew and get a new cert, which I did prior to the revoke - but looks like that isnt the answer. I can go the bncert tool instead if that is the answer.

I just went through this and it looks like it took - Learn about the Bitnami HTTPS Configuration Tool - but still showing revoked in the site link placed above. Do you know if it takes time to propagate?

Yes, Bitnami is nothing like the rest.
It can't directly use the certs provided by certbot.
There are other steps to take... and forms to fill out... LOL

So, as seen by Bitnami, that process is still "incomplete".
You may have renewed the cert, but Bitnami knows nothing about it.
Thus, the revolutionary invention of the bncert tool.
Oh no, it doesn't eliminate the problem; It does soooo much more!
It single-handedly takes all those countless (unnecessary) Bitnami required steps for you.

It's like.. imagine building a machine that can take bread slices out of their bag and place them into the toaster, turn on the toaster and butter them for you when they pop up!
Yes! It's that good and taste just as sweet.

NOTE: In case anyone missed the blatant sarcastic humor - Bitnami can't be used like "normal programs" (99.9% of the Internet). Don't try to fix that broken wheel, just follow their instructions and use their tool.

4 Likes

So as I said it did take good in my server:

Success

The Bitnami HTTPS Configuration Tool succeeded in modifying your installation.

The configuration report is shown below.

Backup files:

  • /opt/bitnami/apache2/conf/httpd.conf.back.202202120456

  • /opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf.back.202202120456

  • /opt/bitnami/apache2/conf/bitnami/bitnami.conf.back.202202120456

But the site is still hitting that old revoked cert. Do I need to do anything on the Lightsail DNS end?

I do not know Lightsail / bitnami but here is some info in case this helps you.

You can view your cert history here. You got two new wildcard certs on Feb12. But, your Apache server is sending out a non-wildcard cert created on Dec17.

Did you use a different method on Dec17 to create that cert compared to your later ones?

If you just had Apache I would walk you through validating it. But, I worry any manual changes done that way would interfere with bitnami / Lightsail.

Did the bitnami config tool have you restart Apache or Lightsail instance after it got a fresh cert? If not, you could try that.

3 Likes

Yes I did use a different method on the Dec17 date as I couldn't get the apache server back up after shutdown so tried an alternate approach, which took and allowed me to get the apache server back (But clearly caused other issues). I did restart apache through the bitnami config tool and again after the fact just to be safe. I will try restarting the lightsail instance now. Reason I asked re Lightsail was when doing the lets encrypt method - Tutorial: Using Let’s Encrypt SSL certificates with your WordPress instance in Amazon Lightsail | Lightsail Documentation - it makes you add the _acme-challenge response as a txt record in the DNS. Something that wasnt done when using the bitnami config tool

The reboot of lightsail server didnt work either. I am wondering if I can revoke the cert that was mentioned above " But, your Apache server is sending out a non -wildcard cert created on Dec17." I have no clue why its sending that one out. When I check my certs in the Bitnami server I get the following so it looks good on that end:
Found the following certs:
Certificate Name: innovativeirrigation.ca
Domains: innovativeirrigation.ca *.innovativeirrigation.ca
Expiry Date: 2022-05-12 23:50:02+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/innovativeirrigation.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/innovativeirrigation.ca/privkey.pem

That will not help. In fact, the cert your server is now sending out was revoked by Let's Encrypt.

What you are showing looks like a cert created using the Certbot client (not bncert). I am not sure bncert actually does wildcards, I think with bitnami you would use lego client.

But, your Apache config is pointing to different cert files. Let's see what @9peppe has to say .

3 Likes

bncert and certbot control a different set of certificates.

Which is actually renewing the certificate you're sending out? Ignore the other.


I can imagine why you installed certbot, and that tutorial is utter rubbish. You should just use bncert.

If your certificate has been revoked, search the forum for "early renewal bncert" and read that thread

2 Likes

I removed certbot and I renewed cert with bncert tool but its just giving the same result - a successful renewal and cert but hitting the revoked old cert when testing. Any more guidance?

It should've reloaded your webserver (you didn't edit its configuration, did you?).

https://docs.bitnami.com/aws/faq/administration/control-services/

1 Like

No I just did:
sudo certbot delete

Which removed all certbot and certs

Then ran through the process of renewing cert through bncert (Which does a restart of apache)

I'm only adding in innovativeirrigation.ca as a domain in bncert. Could it be an issue without adding in a wildcard domain when I was adding *.innovativeirrigation.ca when I was using certbot? Sorry but I am really confused on this one

And then what happpened? Did it renew the certificate or did it tell you it wasn't time yet?

It looks like you didn't actually get a certificate using bncert.

Follow these instructions: Early renewal for bncert (bitnami) - #24 by hellogossh

2 Likes

That worked, Amazing! What I did wrong was run through the "install cert using bncert tool" as opposed to the above. Much appreciated @9peppe and everyone else!

2 Likes

Just so you know your latest cert is not a wildcard. If you don't need one that is fine. Just making sure you know now.

3 Likes

Yes thanks for that @MikeMcQ , I was using a wildcard before but I actually didn’t need it. So I think I’m all set. Thanks again!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.