hello! im trying to use a letsencrypt certificate with Amazon Cloudfront to do https termination, and after upload the certificate to the Amazon Certificate Manager (key, body and chain), when I enter to the domain using Firefox I get this SEC_ERROR_REVOKED_CERTIFICATE message, for what I research it seems to be an issue with the OCSP. I dont know if the problem is with AWS ou with the OCSP server.
- With Google chrome works fine (i know that query to ocsp is disabled by default)
- If I use the certificate with an ELB I have the same problem
- If I disable the ocsp query at firefox preferences, it works fine.
- If I set a haproxy / nginx for the termination (the same certificate) works fine with firefox
- Im testing with firefox version 54.0
Any ideas ?
thnx in advance
Could you post a link to the certificate in question on https://crt.sh/?
Thnx for the reply, sure, for example this one, https://crt.sh/?id=187243524
One thing that it might be important to mention is that this problem happens with all the certificates that I generate with letsencrypt.
I tested with certificates from other providers and it works fine.
Interesting! What software are you using to obtain these certificates?
we tested with this two
certbot (py) 0.10.x
Do you know what commands you ran to obtain the certificates? Did anyone attempt to revoke any certificates for any reason?
@cpu, do you think you could obtain some more information about the revocation events here? The certificate does in fact seem to be revoked in OCSP.
Ok, We found the issue, after you talk about the revoke, I tested with our certbot flow, I grab the certificate manually, uploaded to the ACM, attached to the cloudfront, and -everything works as planned- (tested with the https://www.ssllabs.com/ssltest/ tool) the certificate wasn’t revoked.
So I spoke with the developer that implement the certes (C#) solution, after reviewing the code, we found it!
An if condition with a missed ! was the problem.
Thnx a lot your time, awesome job with letsencrypt.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.