SEC_ERROR_REVOKED_CERTIFICATE in Firefox

1. Caddy version (caddy version):

v2.3.0

2. How I run Caddy:

Downloaded binary and running via systemctl

a. System environment:

AlmaLinux 8

b. Command:

not applicable

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/
After=network.target

[Service]
User=root
WorkingDirectory=/home/alwin/apps/caddy
ExecStart=/home/alwin/apps/caddy/caddy run
Restart=on-failure

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
  email alwin@cloudserver.click
}

giskil.cloudserver.click {
  header Permissions-Policy "interest-cohort=()"
  reverse_proxy 127.0.0.1:8245
}

There are many server blocks, all for different subdomains but with the same config, just different ports and subdomains.

3. The problem I’m having:

When using Firefox, I am getting SEC_ERROR_REVOKED_CERTIFICATE

4. Error messages and/or full log output:

No related errors or warnings.

5. What I already tried:

restarting caddy, rebooting the system, adding my email to the caddyfile.

6. Links to relevant resources:

https://giskil.cloudserver.click (open in firefox)

so i just created a new server block for a new subdomain and on that it works. So I guess I just need to renew all certs. How can I do that?

Unfortunately this was an issue with ZeroSSL certificates.

The quick fix is to delete the directory for your domain that’s stuck from Caddy’s data storage, then restart Caddy. This’ll force it to fetch a new certificate.

Since you’re running Caddy as root, I think it’ll be in /root/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/your-domain

2 Likes

Oh, it was just right. I was investigating it. :ramen:

After updating ZeroSSL with Caddy, your Firefox may still be returning an error.
The old certificate is maintained somewhere. You can work around this with Firefox settings:

≡ - Settings Left sidebar :lock: Privacy & Security
Scroll down “Certificates”
Query OCSP responder servers to confirm the current validity of certificates :ballot_box_with_check: to Uncheck

Of course, you can also use Chrome or Edge as a workaround.

2 Likes

I have confirmed that Caddy, which has the same problem, can reissue the certificate by this work.

If you have a lot of domain management, a patch module is already provided. (see GitHub issue)
You can also wait for Caddy’s update if you’re not in a hurry.

This topic was automatically closed after 30 days. New replies are no longer allowed.