[resolved] How to "un-revoke" a certificate?

littlemonkey · October 6, 2017, 12:34pm

Hello everyone,
I’m familiar with installing Let’s Encrypt certificates on my servers, running Debian Jessie and Ubuntu 16.04. Everything has worked great. However, I ran into problems when I had to move a site from server to another server:

I first created a virtualhost on my Ubuntu server and installed a certificate for the domain, only to discover the WordPress theme used was not compatible with php7. I was dumb enough to revoke the certificate, and moved the site to my other server (Debian with php5.6). I could install a certificate on Debian server too, and the site is working, like, normal, but only on Chromium or Epiphany browser. Firefox tells me "An error occurred during a connection to www.repipe.fi. Peer’s Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE"
https://www.ssllabs.com/ssltest/analyze.html?d=www.repipe.fi tells me the same information.

A couple of questions: Is the certificate to be revoked forever, from now on? Is there a way to undo my stupid revoke of the domain? What should I do?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
Ubuntu:
letsencrypt --apache -d www.repipe.fi
letsencrypt revoke --cert-path /etc/letsencrypt/live/www.repipe.fi/cert.pem

Debian:
certbot --apache -d www.repipe.fi

It produced this output:
everything ok

My web server is (include version):
Apache/2.4.10 (Debian)
Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Debian Jessie

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

bytecamp · October 6, 2017, 12:58pm

Just issue another (new) certificate for the domain, revocation cannot be undone.

littlemonkey · October 6, 2017, 1:15pm

@bytecamp, thank you for the information, but I’ve already issued a new certificate for this domain.

littlemonkey · October 6, 2017, 1:43pm

ssllabs analyzer report shows also Certificate #2:
Common names: develspace.com
Alternative names: develspace.com MISMATCH

What does this mean?

mnordhoff · October 6, 2017, 2:06pm

Notice that Certificate #2 has a little "No SNI" indicator, and it says "This site works only in browsers with SNI support." at the top. SNI (Server Name Indication) is a TLS extension that allows the server to choose between multiple certificates based on the hostname specified by the client.

In other words, the "develspace.com" certificate is the server's default for really, really old clients that don't support SNI. Like, Windows XP era Internet Explorer.

You could reconfigure your web server to choose a different default, but it doesn't really matter in a modern environment.

littlemonkey · October 6, 2017, 2:11pm

@mnordhoff, thank you for the explanation.

Now, how can I get rid of that SEC_ERROR_REVOKED_CERTIFICATE error shown with Firefox (52.4.0) browser?

danb35 · October 6, 2017, 2:35pm

Are you sure you haven't revoked that one as well? Because the OCSP response that SSLLabs got from Let's Encrypt says it's revoked too.

littlemonkey · October 6, 2017, 2:55pm

@danb35, thank you for this extended info.

Actually, I did revoke the certificate on both servers… That’s bad, right?
The site was a nightmare to set up and get running, after a really nasty spamvertizing infection. The server changed twice, DNS changed… Maybe I was too frustrated to think clearly?

What I’ve learned is: never revoke a certificate without a genuine reason.
I also learned letsencrypt delete --cert-name example.com does not work on my Ubuntu server. I tried that first, but because I could not get it working I did the revoke.

danb35 · October 6, 2017, 3:06pm

It's not good, but it isn't the end of the world. Issue a new cert and use it and all should be well.

The only real reason to revoke a cert is if you believe the private key has been compromised.

mnordhoff · October 6, 2017, 3:08pm

What error message did it give? If it's the letsencrypt 0.4.0 Ubuntu package, the delete command was added in a newer version.

If you want, you could use the Certbot PPA -- 0.4.0 is so old that the project has since been renamed from "letsencrypt" to "Certbot" -- and install a newer version.

(It's backwards compatible. The old command name still exists, at least for now.)

But if you don't want to delete any more certificates, and aren't experiencing any other issues, you don't really need to bother.

littlemonkey · October 6, 2017, 3:36pm

@danb35, all is, well, “well”, despite the Firefox error message, thank you!

@mnordhoff, the error was:
letsencrypt: error: unrecognized arguments: delete --cert-name example.com

so that means I’m running the old version.

There will be situations I have to delete certificates in the future, so maybe updating will be a good idea!

I guess we can close this now,
a big thank you for everyone involved helping me getting things straight. I have learned a lot!

system · November 5, 2017, 3:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.