Revoked certificate still valid?

My domain is: radioactiveslop-dm.xyz

I ran this command: revoke

It produced this output: N/A

My web server is (include version): Foundry VTT (likely not relevant)

The operating system my web server runs on is (include version): Windows 8.1

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello, Let's Encrypt community. I'm a novice to running a server, and almost got everything working right. The issue I have is that after I revoked my certificate via Certbot, every connection I make to the server still uses the Let's Encrypt certificate.

I started this server off with Certbot certificates, but now I'm trying to use Cloudflare to create my certificates. I currently have Cloudflare certificates on the server. However, I cannot tell if the Cloudflare certificates are functioning because every connection I make, as I mentioned earlier, uses the Let's Encrypt certificate that I already revoked via Certbot.

Am I missing something obvious or fundamental, or should the certificate have stopped being valid once revoked?

Hello @Horseshoe00,

First of all, if your private key has not been compromised there is no need at all to revoke a certificate.

Said that, you have issued 2 certificates, one covering radioactiveslop-dm.xyz and the other one covering radioactiveslop-dm.xyz and *.radioactiveslop-dm.xyz. Your site is using the second one but you have revoked the first one.

Again, don't revoke the certificates, if you don't want to use those certificates anymore... just remove them... well, first make a backup just in case.

Cheers,
sahsanu

3 Likes

I concur with my fellow volunteer above.

Also, revoking does not "uninstall" a certificate: those two things are something different entirely.

3 Likes

No, as mentioned your server still sends the LE certs. These are the certs you have created:
https://crt.sh/?q=radioactiveslop-dm.xyz

Here is your current server output certs:
https://www.sslshopper.com/ssl-checker.html#hostname=radioactiveslop-dm.xyz

2 Likes

Thank you for the reply.
I understand that it may not have been necessary to revoke the certificates, so please excuse my heavy-handed process, but this doesn't exactly solve my problem.

When I run Certbot try using the revoke command, the program says I have already revoked the certificate for *.radioactiveslop-dm.xyz. When I prompt Certbot for a list of my certificates using the "certificates" command, it outputs "no certificates found." And, if I recall correctly, when I ran the revoke command for radioactiveslop-dm.xyz it asked me if I wanted to also revoke the certificate for *.radioactiveslop-dm.xyz which I did do.

1 Like

@Horseshoe00 Revoking a cert does not change the previously issued cert. Revoking has that cert added to the Certificate Revocation List (CRL) that browsers and other clients can use to see if a cert is still valid. And, added to the OCSP servers. See this topic on Revoking Certificates

Your server is still sending the same cert as before. You need to change whatever definitions you have that still refer to the cert files you created. A curl request to your domain shows a server name of Cloudflare. I do not know all the options in Cloudflare but I guess you may have set something there too.

I also refer you to my post just prior to your latest which shows how you can see the output we are referring to.

2 Likes

I've been working down through the comments, thank you. What I know is the server program I'm using accepts an SSL certificate and an SSL private key, and I'm using the SSL certificate and SSL private key issued to me by Cloudflare. There should not even be any other cert files available for the server to refer to, as my \live folder in Certbot no longer contains any cert files. The server and machine have been restarted multiple times as well.

I must admit, I see the links you sent me earlier and understand that they display Let's Encrypt as the issuer, but I don't know how to compare them to the cert files I do have.

@Horseshoe00 If you are using Cloudflare CDN, there is a cert for the https connection between Cloudflare and the client (browser or whatever). There is also a connection between Cloudflare and your origin server. This is ideally also https and so has a cert of its own.

Generally you can create a cert in Cloudflare for its client connections and this cert would appear in the crt.sh list for the domain used by the client (your radioactive-dm.xyx). But, I believe you can also upload your own certs for this purpose and I am guessing this might be what you did. I say this because there is no Cloudflare issued cert in crt.sh for this name.

Can you explain more about your configuration? Are you using the Cloudflare CDN and if so what SSL model are you using (Flex, Full, ...) - see:
https://www.cloudflare.com/ssl/

2 Likes

I currently have the configuration set to Full (strict) but the issue appears on other levels, I set it to that while I was troubleshooting. My Cloudflare plan does not allow me to upload certificates-

Oh. Huh. It looks like Cloudflare uses Let's Encrypt as a certificate authority. So it may be that I'm barking up the wrong tree, and the server is using the right certificate. Which would explain this. But I don't know how to make sure.

1 Like

Cloudflare occasionally uses LetsEncrypt for certificates as well. They use multiple certificate authorities, not their own unless you are installing an untrusted Origin Certificate to only secure the connection between your server and their network.

OP - are you sure your server is using a certificate YOU obtained from LetsEncrypt and not a certificate Cloudflare obtained from LetsEncrypt for you?

3 Likes

Cloudflare does say my "universal certificate" has Let's Encrypt as a certificate authority, yes.

I suppose that, because I'm using certs that Cloudflare gave me and Cloudflare is using Let's Encrypt, the evidence would indicate that the certificates I closed earlier likely have closed and revoked successfully and my server is now using the Cloudflare-provided Let's Encrypt certs instead.

Is there a way to verify that the certs that are showing online match my cert files?

There are few ways to tell.

The simplest method: in a browser you click the lock and then "details" to see the issue date and time (notBefore). If that correlates to when you switched to Cloudflare, it's safe to assume that is a cloudflare cert.

The more advanced method is to compare the keys and certificates themselves. On most OS, you can drag the certificate from the lock window onto your desktop and then compare that "live" key to the ones you have.

If you have trouble doing that, the certificate details will offer the public key details. You can then use OpenSSL on the commandline to extract the public key from the private key you have from Cloudflare and compare. The following two commands are identical (one uses stdout, the other uses supported args) I just pulled off a quick web search that brought up dozens of StackOverflow links.

openssl rsa -in privkey.pem -pubout -out key.pub
openssl rsa -in privkey.pem -pubout > key.pub

There are other ways, the above are the easiest ones I could think of.

2 Likes

You can use this site to check certs from any domain. Just enter the domain for your origin server
https://www.sslshopper.com/ssl-checker.html

Is that what you meant?

2 Likes

@Horseshoe00 While @jvanasco is correct you should know that the cert chain shown by browsers may not be what your server is sending. Browsers often build a trusted chain to adapt to poorly configured servers and their own logic.

3 Likes

+100. Some online profiling tools will show the actual certificate chain being served, but most browsers/clients/libraries will ignore the certificate chain and use their own logic to correlate a Certificate with a chain up to the Trusted Root. This is why you should only focus on the Certificate itself for the analysis you need.

2 Likes

Alright, I believe you all have got me on the right path now.
The dates seem to match up on the cert presented by the server and the certs Cloudflare gives me. Cloudflare's "Universal Certificate" thing doesn't allow me to directly look at the certs they use between them and clients, though. So, I can't directly compare certs personally, it only gives me the expiry date.

Would you all say that, given what we've seen, my certificates are working correctly? I'd prefer to get this as correct as I can off the bat instead of having to come back later, which is why I came here asking about this issue even though the site was already functional.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.