SEC_ERROR_REVOKED_CERTIFICATE only in Firefox

NethServer Version:7.6.1810

Hi,

and yes I’ve seen the other post to Let’s encrypt and firefox but didn’t helped!

In Firefox I get “SEC_ERROR_REVOKED_CERTIFICATE” (cleared cache before !)
Edge : “…Ihre TLS-Sicherheitseinstellungen weisen keine Standardwerte auf, was ebenfalls diesen Fehler verursachen könnte.”

In Chrome everything is fine!

I read about lets’ encrypt " We’ll re-enable TLS-SNI-01 after a week, then disable permanently on March 13" - which could match the starting time of my problem!?

No I’ve to say -I don’t know! As far as I have seen I used the TLS-Policy 2018-3-30 - is this the Problem? I tried to change but do I have to renew the certificat and if YES - how do I manually do this!?

thx for all

Martin

Do you use the newest Firefox version, I tested with newest policy (2018-10-01) with 65.02 and 66.0 (64 bit) but couldn’t reproduce the cert problem.

You may try to start firefox in safe mode to exclude addon problems.

You may test your certificate.

No, that’s not necessary. Just in case you need it, you could request another letsencrypt certificate easily via the web UI.

Seems the obvious first step would be to see if the cert is actually revoked, because that’s what the error message is telling you. The test on ssllabs.com (which @mrmarkuz already linked to) would be an easy way to check. If it’s revoked, it’s almost certainly because you asked for that to happen.

Edit:

This is because Chrome doesn’t ordinarily check for cert revocation (which is one of the many ways in which cert revocation is broken).

It may match the starting time, but it has nothing to do with your problem. The deprecation of TLS-SNI doesn’t invalidate existing certs; it only affects the way new certs will be issued.

This shouldn’t have anything to do with your problem either, at least as far as the Firefox error is concerned–my German isn’t quite good enough to decipher what Edge is telling you.

If you can share your domain name, that would go a long way toward helping figure out what’s going on.

1 Like

There are some hints too but I didn’t test, just for translation:

Thx for your help.

But i can’t use the Web UI, because my server domain is different to the virtual host domain. And so I tried to save the settings of the virtual host again - in hope the certificate than is reproduced automatically… I have to start learning not hoping…:smiley:

Martin

I ran the SSLLabs test using the domain name you provided by PM, and Firefox is correct–your certificate is revoked. That domain is using a Let’s Encrypt cert issued on 28 Feb, but at some point after that time it was revoked. The Let’s Encrypt staff on their forums may be able to track down when and why that happened, but the information isn’t public. The most-likely reason for revocation is simply that you requested it. If you didn’t, the only other likely explanation would be that someone else convinced the Let’s Encrypt staff that it shouldn’t have been issued in the first place.

In order to correct this, you’ll need to issue a new certificate.

1 Like

@danb35 Well, I didn’t, so I’ll ask the let’s encrypt team who or what asked for revokement!

But later, here sslLabs are bloked for me…

Thx for your help

Martin

A little more investigation of the ssllabs report suggests that the domain you sent me isn’t actually being hosted on your Nethserver, or at least that it’s behind a CDN of some sort. It uses SNI, which Neth doesn’t do by default (and the cert presented when a non-SNI client connects is a self-signed cert for what appears to be an IPv4-to-IPv6 gateway), and its server signature is decidedly different than my Neth installation presents.

The gateway/CDN is going to complicate matters a bit, I think.

1 Like

hmm,

well, yes, I’m using, but for now more than a year, a IPv4-to-IPv6 gateaway because of my DS-lite issue…

Oh, my silly …
I thought that, for whatever reason, my domain (virtual host) via certbot would request a certificate from let’s encrypt! But as far as I understand it - it is not like that, but please correct me if you can ask for a let’s encyrpt certificate for a virtual host with the standard nethserver modules / settings !?

Otherwise, my IPv4-to-IPv6 https proxy organizes a certificate - only there was a problem …

So thank you, and I have once again dealt with the topic a little bit!

Best regards

Martin

AFAIK, Neth wants to use a single cert for everything–you’d have one cert covering all hostnames used by the server, and use that in every virtual host. The underlying server software (i.e., Apache) is perfectly capable of serving different certs for different hostnames, but the Neth framework doesn’t allow for that.

Is there a reason you’d want a separate cert for the virtual host?

no, no reason, but I starten with mydomain.lan and than my wife asked me to have a web-doamin…:smiley: