Error code: SEC_ERROR_REVOKED_CERTIFICATE

chaz · February 2, 2022, 10:32pm

1. Caddy version

(v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=):

2. How I run Caddy:

running it as a service to run my application which is also running as a service using my subdomain at https://accounting.bosc.co.tz (my domain name is bosc.co.tz)

caddy.service - Caddy
Loaded: loaded (/lib/systemd/system/caddy.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-02-01 15:56:47 UTC; 1 day 4h ago

a. System environment:

ubuntu 18.04 , hosted vps

b. Command:

caddy restart 
caddy reload 
systemcmtl -l status caddy

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddyfile or JSON config:

The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
accounting.bosc.co.tz

# Set this path to your site's directory.
root * /usr/share/caddy

# Enable the static file server.
file_server

# Another common task is to set up a reverse proxy:
 reverse_proxy localhost:8080

# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000

3. The problem I’m having:

trying to access site/application at
https://accounting.bosc.co.tz and get error as below only on firefox , On all other browsers is opening without any problem. This problem only started recently , application has been running for one year now without any issue like this before on all browsers , but suddenly we experience this only on firefox
"

Secure Connection Failed

An error occurred during a connection to accounting.bosc.co.tz. Peer’s Certificate has been revoked.

Error code: SEC_ERROR_REVOKED_CERTIFICATE
"

4. Error messages and/or full log output:

Error code: SEC_ERROR_REVOKED_CERTIFICATE

5. What I already tried:

i have tried
caddy restart and
caddy reload to no avail

am afraid of deleting caddy resource folder as mentioned on other articles to force certificate regeneration as am not sure if the system will run again or not as this hosted application is used by many users already and have never tried it before so i cant experiment on production server directly

6. Links to relevant resources:

you can access application and reproduce error on firefox here by accessing
https://accounting.bosc.co.tz

matt · February 2, 2022, 10:56pm

Let’s Encrypt revoked your certificate. The latest version of Caddy handles this automatically, but your version is very old. Upgrade to v2.4.6 or, for even better handling of this, the latest on tip that will go out with v2.5.

chaz · February 3, 2022, 6:22am

thanks matt for quick response

i see from caddy docs commands for upgrading binaries as
caddy upgrade --keep-backup
but while using this command as a root to the root folder , i get command not recognized error
"
root@bosc:~# caddy upgrade --keep-backup
[ERROR] ‘upgrade’ is not a recognized subcommand; see ‘caddy help’
"
Even the “caddy help” will not list upgrade as a possible caddy command
"
commands:
adapt Adapts a configuration to Caddy’s native JSON
build-info Prints information about this build
environ Prints the environment
file-server Spins up a production-ready file server
fmt Formats a Caddyfile
hash-password Hashes a password and writes base64
help Shows help for a Caddy subcommand
list-modules Lists the installed Caddy modules
reload Changes the config of the running Caddy instance
reverse-proxy A quick and production-ready reverse proxy
run Starts the Caddy process and blocks indefinitely
start Starts the Caddy process in the background and then returns
stop Gracefully stops a started Caddy process
trust Installs a CA certificate into local trust stores
untrust Untrusts a locally-trusted CA certificate
validate Tests whether a configuration file is valid
version Prints the version
"
tried to switch folders /paths but i get same error
forgive me cause am not much into caddy commands either maybe am missing something silly here .

what am i missing here , the path to the binaries or why the commands isn’t recognized ?

matt · February 3, 2022, 7:02am

Don’t use caddy upgrade for this (your version is too old to have it anyway); either use xcaddy to build from the latest commit (currently 7557d1d92240d7dc36a6f8137ab542f3908f316c, so xcaddy build 7557d1d92240d7dc36a6f8137ab542f3908f316c) or build from source yourself (or download the build artifact from our CI).

Then just restart Caddy after replacing the binary.

chaz · February 3, 2022, 8:51am

thank you

so with xcaddy command , do i need to install first Go ?, because i don’t see it available within my environment of ubuntu 18.04.5 LTS

just need to know the steps and if you can help with links/docs with examples on the way to achieve upgrade/update

i dont see xcaddy command recognizable but after reading some articles it seems like i need first to install Go into ubuntu before i might be able to use xcaddy for upgrade as you mentioned

just bear with me because am new to caddy/linux commands

francislavoie · February 3, 2022, 4:46pm

Yes, you need Go.

You can download it from here: Download and install - The Go Programming Language, and follow those instructions.

chaz · February 3, 2022, 9:31pm

thanks Francis

I see Requirements as:

Requirements:

Go installed
Make sure xcaddy is in your PATH

Now Go already installed and tested

root@bosc:~# hello

hello, world

but xcaddy command keep failing as below

root@bosc:/usr/bin# xcaddy build

-bash: xcaddy: command not found

So maybe the second requirement is not met

The xcaddy PATH

Would you help explain now how I put xcaddy in my PATH
and run command $xcaddy build to update my caddy binaries ?

francislavoie · February 3, 2022, 9:44pm

Did you give executable permission to the xcaddy binary? You can do so with chmod +x

chaz · February 6, 2022, 6:57am

thanks francis
you know Go has been installed here /usr/local/go
my understanding is that xcaddy is one of those binaries installed with go
so in order to execute xcaddy i need to be in go folder ie i need to be here
/usr/local/go/ and then run
$xcaddy build (in order to update my caddy binaries)

and this is what i did ;
the results is commands not available

when i list files or anything inside the go folder using $ls command i dont see anything like xcaddy there
so even giving permission isn’t helping because simply nothing like that in there
my guess still we need to see where xcaddy is being installed , that’s PATH, as i have seen in other articles , that says in order to run/execute xcaddy make sure you are in its PATH otherwise it will not be able to run , and i think this is exactly my problem here

can you help with this in connection to xcaddy PATH , where exactly you need to be in order to execute xcaddy command ?

francislavoie · February 6, 2022, 7:03am

It’s not. It’s a separate program you need to download (or build yourself).

xcaddy requires having Go installed, because it’s a tool that automates setting up an environment to make custom builds of Caddy.

chaz · February 7, 2022, 6:18am

thanks francis

i have installed the package for xcaddy already citing some of examples from your page and after i run the xcaddy command to upgarde caddy binaries to v2.4.6 , and because what i want is just replacing the caddy binaries i dont pass any other parameter , just version number
the results :

root@bosc:~# xcaddy build v2.4.6
2022/02/07 06:10:05 [INFO] Temporary folder: /tmp/buildenv_2022-02-07-0610.32557 78608
2022/02/07 06:10:05 [INFO] Writing main module: /tmp/buildenv_2022-02-07-0610.32 55778608/main.go
2022/02/07 06:10:05 [INFO] Initializing Go module
2022/02/07 06:10:05 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod init cad dy
go: unknown subcommand “mod”
Run ‘go help’ for usage.
2022/02/07 06:10:06 [FATAL] exit status 2

where else do you think am failing here

francislavoie · February 7, 2022, 6:32am

What version of Go did you install? You should have Go 1.17. If you set up too old a version, then go mod doesn’t exist.

chaz · February 7, 2022, 6:39am

root@bosc:~# go version
go version go1.10.3 linux/amd64

so that means i have to update /upgrade go using
$go get source command ?

francislavoie · February 7, 2022, 6:51am

No, you’ll need to download it from the Go website. There’s not really a self-upgrade thing built in for Go. If your package manager gave you something that old then downloading it from the website is your only option.

chaz · February 7, 2022, 7:07am

okay
let me go for it and will update

chaz · February 8, 2022, 2:52pm

Hello Francis ;

i just updated Go and it went smoht to ver 1.17, as you can see below
the
$xcaddy build v2.4.6 went smooth and successfull

but the results is as below
caddy version still reading v2.3.0, it means nothing upgraded
and one more thing i have noticed after this , is that the site went down and is not accessible at all now

so forgive me i decide to paste here as much information regarding my environment and caddy environment so that you can know where to help because i don’t know where am wrong now

root@bosc:~# go version

go version go1.17 linux/amd64

root@bosc:/etc/caddy# caddy reload

2022/02/08 14:13:57.618 INFO using adjacent Caddyfile

root@bosc:/etc/caddy# caddy version

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

root@bosc:/etc/caddy# caddy environ

caddy.HomeDir=/root

caddy.AppDataDir=/root/.local/share/caddy

caddy.AppConfigDir=/root/.config/caddy

caddy.ConfigAutosavePath=/root/.config/caddy/autosave.json

caddy.Version=v2.3.0

runtime.GOOS=linux

runtime.GOARCH=amd64

runtime.Compiler=gc

runtime.NumCPU=1

runtime.GOMAXPROCS=1

runtime.Version=go1.15.6

os.Getwd=/etc/caddy

LESSCLOSE=/usr/bin/lesspipe %s %s

OLDPWD=/root

USER=root

GOPATH=/root/work

PWD=/etc/caddy

HOME=/root

SSH_CLIENT=41.75.218.69 53188 22

SSH_TTY=/dev/pts/0

MAIL=/var/mail/root

TERM=xterm

SHELL=/bin/bash

SHLVL=1

LOGNAME=root

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/usr/local/go/bin:/root/work/bin:/usr/local/go/bin:/root/work/bin

LESSOPEN=| /usr/bin/lesspipe %s_=/usr/bin/caddy

root@bosc:/etc/caddy# caddy build-info

path: command-line-arguments

main: caddy (devel)

dependencies:

[]

root@bosc:/etc/caddy# caddy validate

2022/02/08 14:20:43.702 INFO using adjacent Caddyfile

2022/02/08 14:20:43.704 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {“server_name”: “srv0”, “https_port”: 443}

2022/02/08 14:20:43.704 INFO http enabling automatic HTTP->HTTPS redirects{“server_name”: “srv0”}

2022/02/08 14:20:43.706 INFO tls.cache.maintenance started background certificate maintenance {“cache”: “0xc00023b730”}

2022/02/08 14:20:43.706 INFO tls.cache.maintenance stopped background certificate maintenance {“cache”: “0xc00023b730”}

Valid configuration

root@bosc:/etc/caddy# caddy list-modules

admin.api.load

admin.api.metrics

caddy.adapters.caddyfile

caddy.listeners.tls

caddy.logging.encoders.console

caddy.logging.encoders.filter

caddy.logging.encoders.filter.delete

caddy.logging.encoders.filter.ip_mask

caddy.logging.encoders.json

caddy.logging.encoders.logfmt

caddy.logging.encoders.single_field

caddy.logging.writers.discard

caddy.logging.writers.file

caddy.logging.writers.net

caddy.logging.writers.stderr

caddy.logging.writers.stdout

caddy.storage.file_system

http

http.authentication.hashes.bcrypt

http.authentication.hashes.scrypt

http.authentication.providers.http_basic

http.encoders.gzip

http.encoders.zstd

http.handlers.acme_server

http.handlers.authentication

http.handlers.encode

http.handlers.error

http.handlers.file_server

http.handlers.headers

http.handlers.map

http.handlers.metrics

http.handlers.push

http.handlers.request_body

http.handlers.reverse_proxy

http.handlers.rewrite

http.handlers.static_response

http.handlers.subroute

http.handlers.templates

http.handlers.vars

http.matchers.expression

http.matchers.file

http.matchers.header

http.matchers.header_regexp

http.matchers.host

http.matchers.method

http.matchers.not

http.matchers.path

http.matchers.path_regexp

http.matchers.protocol

http.matchers.query

http.matchers.remote_ip

http.matchers.vars

http.matchers.vars_regexp

http.reverse_proxy.selection_policies.cookie

http.reverse_proxy.selection_policies.first

http.reverse_proxy.selection_policies.header

http.reverse_proxy.selection_policies.ip_hash

http.reverse_proxy.selection_policies.least_conn

http.reverse_proxy.selection_policies.random

http.reverse_proxy.selection_policies.random_choose

http.reverse_proxy.selection_policies.round_robin

http.reverse_proxy.selection_policies.uri_hash

http.reverse_proxy.transport.fastcgi

http.reverse_proxy.transport.http

pki

tls

tls.certificates.automate

tls.certificates.load_files

tls.certificates.load_folders

tls.certificates.load_pem

tls.handshake_match.sni

tls.issuance.acme

tls.issuance.internal

tls.issuance.zerossl

tls.stek.distributed

tls.stek.standard

francislavoie · February 8, 2022, 2:56pm

After you build the binary, you need to move it to replace the existing one. It doesn’t directly install the new version. It outputs the new binary right where you ran the command, as a file named caddy. Don’t forget to restart your systemd service afterwards.

Please use code blocks when posting logs. It’s very difficult to read when not using a monospaced font and such.

Those commands you ran such as environ and validate won’t tell you much because you ran them as a different use than Caddy would run as a systemd service – it runs as the user named caddy when running as a service.

system · March 4, 2022, 10:33pm

This topic was automatically closed after 30 days. New replies are no longer allowed.