SEC_ERROR_REVOKED_CERTIFICATE With AWS Cloudfront and Firefox

Help
1

hello! im trying to use a letsencrypt certificate with Amazon Cloudfront to do https termination, and after upload the certificate to the Amazon Certificate Manager (key, body and chain), when I enter to the domain using Firefox I get this SEC_ERROR_REVOKED_CERTIFICATE message, for what I research it seems to be an issue with the OCSP. I dont know if the problem is with AWS ou with the OCSP server.

Note.

  • With Google chrome works fine (i know that query to ocsp is disabled by default)
  • If I use the certificate with an ELB I have the same problem
  • If I disable the ocsp query at firefox preferences, it works fine.
  • If I set a haproxy / nginx for the termination (the same certificate) works fine with firefox
  • Im testing with firefox version 54.0

Any ideas ?

thnx in advance
Fred.

2

Hi @narfeta,

Could you post a link to the certificate in question on https://crt.sh/?

3

Hey @schoen,

Thnx for the reply, sure, for example this one, https://crt.sh/?id=187243524

One thing that it might be important to mention is that this problem happens with all the certificates that I generate with letsencrypt. :frowning:

I tested with certificates from other providers and it works fine.

Fred.

4

Interesting! What software are you using to obtain these certificates?

5

we tested with this two

certbot (py) 0.10.x

certes (c#)

6

Do you know what commands you ran to obtain the certificates? Did anyone attempt to revoke any certificates for any reason?

@cpu, do you think you could obtain some more information about the revocation events here? The certificate does in fact seem to be revoked in OCSP.

1 Like
7

Ok, We found the issue, after you talk about the revoke, I tested with our certbot flow, I grab the certificate manually, uploaded to the ACM, attached to the cloudfront, and -everything works as planned- (tested with the https://www.ssllabs.com/ssltest/ tool) the certificate wasn’t revoked.

So I spoke with the developer that implement the certes (C#) solution, after reviewing the code, we found it!

await client.RevokeCertificate(cert);

An if condition with a missed ! was the problem. :blush:

Thnx a lot your time, awesome job with letsencrypt.

Fred

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.