SEC_ERROR_REVOKED_CERTIFICATE in Firefox

Niwla23 · June 11, 2021, 10:14pm

1. Caddy version (`caddy version`):

v2.3.0

2. How I run Caddy:

Downloaded binary and running via systemctl

a. System environment:

AlmaLinux 8

b. Command:

not applicable

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/
After=network.target

[Service]
User=root
WorkingDirectory=/home/alwin/apps/caddy
ExecStart=/home/alwin/apps/caddy/caddy run
Restart=on-failure

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
  email alwin@cloudserver.click
}

giskil.cloudserver.click {
  header Permissions-Policy "interest-cohort=()"
  reverse_proxy 127.0.0.1:8245
}

There are many server blocks, all for different subdomains but with the same config, just different ports and subdomains.

3. The problem I’m having:

When using Firefox, I am getting SEC_ERROR_REVOKED_CERTIFICATE

4. Error messages and/or full log output:

No related errors or warnings.

5. What I already tried:

restarting caddy, rebooting the system, adding my email to the caddyfile.

6. Links to relevant resources:

https://giskil.cloudserver.click (open in firefox)

Niwla23 · June 11, 2021, 10:25pm

so i just created a new server block for a new subdomain and on that it works. So I guess I just need to renew all certs. How can I do that?

francislavoie · June 11, 2021, 11:05pm

Unfortunately this was an issue with ZeroSSL certificates.

The quick fix is to delete the directory for your domain that’s stuck from Caddy’s data storage, then restart Caddy. This’ll force it to fetch a new certificate.

Since you’re running Caddy as root, I think it’ll be in /root/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/your-domain

balloon · June 12, 2021, 3:30am

Oh, it was just right. I was investigating it.

After updating ZeroSSL with Caddy, your Firefox may still be returning an error.
The old certificate is maintained somewhere. You can work around this with Firefox settings:

≡ - Settings Left sidebar Privacy & Security
Scroll down “Certificates”
Query OCSP responder servers to confirm the current validity of certificates to Uncheck

Of course, you can also use Chrome or Edge as a workaround.

balloon · June 12, 2021, 5:19am

I have confirmed that Caddy, which has the same problem, can reissue the certificate by this work.

If you have a lot of domain management, a patch module is already provided. (see GitHub issue)
You can also wait for Caddy’s update if you’re not in a hurry.

system · July 11, 2021, 10:15pm

This topic was automatically closed after 30 days. New replies are no longer allowed.