Website certificate revoked

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: greenstopcannabis.ca

I ran this command: n/a

It produced this output: n/a

My web server is (include version): n/a

The operating system my web server runs on is (include version): n/a

My hosting provider, if applicable, is: canhost?

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

For some reason sites are unable to access the site any longer. Getting this error when they attempt to connect

The certificate used by this server has been marked as untrustworthy and the connection is not safe.

This error was caused by an invalid OCSP response, which has to be valid because OCSP stapling is used.
Try connecting again later or from a different internet connection.
Access to it has been blocked.

Any help would be greatly appreciated.

1 Like

Welcome to the Let's Encrypt Community, Mike :slightly_smiling_face:

From what I see:

https://www.ssllabs.com/ssltest/analyze.html?d=greenstopcannabis.ca

greenstopcannabis.ca is fully accessible. The only trouble I can see that you might be facing is that the server for greenstopcannabis.ca is serving the short chain:

rather than the long chain:

2 Likes

Hey Griffin,

Appreciate the info. I was looking at sslabs as well, I am not super up to speed with certificates but I did see what you see. It seems we are missing part of the chain. How would one go about correcting that?

2 Likes

Funny thing is that we have 2 -3 sites that use Lets Encrypt certs and they seem to all be doing the same thing.

1 Like

It's likely that either:

  • your hosting provider's certificate management software (cPanel or something like that) is not including both intermediate certificates (in the CA bundle) when installing your certificates
  • your ACME client is configured to retrieve the alternate chain from Let's Encrypt rather than the default chain when acquiring your certificates

The former is fixed by overriding the CA bundle with the last two certificates in the long chain I gave you (basically by appending the ISRG Root X1 certificate to the end). The latter is fixed by changing the parameters of your ACME client software to not select the alternate chain (or not select a preferred chain at all so that the default chain is used).

2 Likes

Fantastic info!! This is where I show my newby ness of using certificates. I have done simple things in the past when it comes to downloading and installing certs, I am not sure what to do next? Again, this will be my newb coming out!

1 Like

@mbodfield
Another possibility is that your client doesn't have the "ISRG Root X1" cert in its' trusted root store.
Which client O/S and browser (and their versions) are you having this trouble with?

1 Like

Windows 10 and in Chrome

1 Like

@mbodfield
Have you done your Windows Updates recently?

1 Like

Sure have, this is actually for about 80 sites.....seems that they all have issues with the certificates

1 Like

It's possible, if you can provide other example domains?

If the problem is all from your machine the most likely thing is your machine just doesn't have the ISRG Root X1 cert installed, so all sorts of other website would have stopped working as well. You can try this method to see if it's just your machine:

Manually install by:

  • browsing to http://x1.i.lencr.org/ in order to download the .cer file for ISRG Root X1
  • open file, click "Install Certificate..", Choose default option "automatically select..", Next, Finish
  • reboot
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.