Sometime this Sunday, a client of mine notified me that one of their WordPress websites I had developed and deployed in AWS Lightsail, a few months back, was giving a certificate invalid error and wasn’t accessible.
At first, I thought that it was because, for whatever reason, the automatic renewal would have failed.
On seeing the error NET ERR_CERT_REVOKED though, I realized that’s not the case.
This error wasn’t something I usually come across. I tried to check online if someone else has also faced something similar but found nothing. No fixes on YouTube either. Some more looking around and I finally came across this bit of news.
“On 26 January 2022, Let’s Encrypt notified subscribers (with a valid contact email) that on 28 January 2022 we we will revoke certificates issued in the last 90 days and validated with the TLS-ALPN-01 challenge. This revocation only affects certificates issued and validated with the TLS-ALPN-01 challenge. Not all clients are capable of using this challenge type. Certbot does not support this challenge type, so unless you received an e-mail about this Certbot users should be unaffected.”
Surprisingly, I did not receive any email from LetsEncrypt as mentioned above!
If you are also someone one of whose website’s Letsencrypt SSL certificate has been, this post is for you.
How To Solve NET ERR_CERT_REVOKED certificate revoked error for LetsEncrypt SSL Certificate?
The first step is, to enable dummy certificates.
In order to do that, I had to edit the following 2 files:
*Depending upon your app, the ‘wordpress’ can be different
In both these files, I had to change the SSLCertificateFile and SSLCertificateKeyFile to the following:
- SSLCertificateFile “/opt/bitnami/apache2/conf/bitnami/certs/server.crt”
- SSLCertificateKeyFile “/opt/bitnami/apache2/conf/bitnami/certs/server.key”
I did the above by editing the above-mentioned files in vim. You can use any other text editor if you want to.
After saving the changes and exiting VIM, I restart the webserver just to make sure the webserver restarts correctly and there are no errors.
sudo /opt/bitnami/ctlscript.sh restart apache
Once the server was configured with the new changes, it was time to revoke the certificates with LEGO.
I did that using the following command:
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --tls --firstname.lastname@example.org --domains=mydomain.com revoke
At this point, all I was trying to do was revoke my certificate, which according to the error message I was getting, was already revoked. But I was trying to revoke the SSL Certificate manually because I was getting errors when I proceeded to reinstall the certificates.
I thought, being doubly sure never hurt anybody.
Thankfully, it helped here too.
From here, I proceeded to re-run the bncert-tool using the command below:
The only thing I did differently this time around, was when prompted for the domain, I entered ‘www.mywebsite.com’ instead of ‘mywebsite.com’, to make sure this domain too, gets added to the certificates.
From there on, I chose the following options for the subsequent options:
- Redirect from non-www version to www version : Yes
- Redirect from www version to non-www version : No
- Enter the same email id as originally used when generating the original SSL certificate (which was revoked)
Agree with everything that followed.
And finally, restart the webserver.
It worked and the website was now loading fine, with a valid SSL certificate.