Revoked SSL certificate due to older cert overriding

Answer these questions to help the Community help you with Security questions.

What is the domain name?
developer.bill.com

Have you searched for an answer?
Yes

Please share your search results url:
https://community.cloudflare.com/search?q=NET%3A%3AERR_CERT_REVOKED

When you tested your domain using the https://www.cloudflare.com/diagnostic-center/, what were the results?
The diagnostic center is not available at this URL

Describe the issue you are having:
developer.bill.com has been offline for over a week now with a NET::ERR_CERT_REVOKED error. The website is published with a vendor, readme.io, who is providing an SSL certificate for the website with CF.

From all the investigation so far, we have learned that an older revoked CF certificate is overriding the new CF certificate that the readme.io team is providing. We want help with clearing this older revoked certificate for the new CF certificate to be applied.

What error message or number are you receiving?
NET::ERR_CERT_REVOKED

What steps have you taken to resolve the issue?

  1. Our SRE team investigated the issue to find that since the website is hosted with a vendor, readme.io, the vendor must provide a valid SSL certificate.
  2. The readme.io support team investigated the issue to find that an older revoked CF certificate is overriding the new CF certificate that the readme.io team is providing.
  3. The CF community forum does have a post specific to this problem.

Was the site working with SSL prior to adding it to Cloudflare?
Yes

What are the steps to reproduce the error:

  1. Navigate to developer.bill.com to view the error.

Have you tried from another browser and/or incognito mode?
Yes. Errors in all browsers and in incognito mode.

Please attach a screenshot of the error:

So this isn’t a Cloudflare problem per-say.

If you click on the “Not Secure” in the top left and click View Certificate you’ll see that it’s actually an expired GoDaddy cerificate that’s being served. I’m guessing that if readme.io were to go into the DNS panel on the Cloudflare dashboard they’d find that the DNS record for developer.bill.com is Unproxied (:grey:).

If you contact the readme.io team and ask them to ensure the domain is Proxied (:orange:) and the origin has a valid Origin Certificate or other valid certificate then things should start working.

Finally, the SSL mode on the zone (bill.com) looks like it’s set to Off, which means that Cloudflare won’t automatically provision SSL certificates for the domain. I’d recommend you turn this on.

Note that if they use an Origin Certificate, your DNS record MUST be proxied otherwise you’ll get an error similar to this.

Thanks for these insights. This will be helpful in our follow-up with readme.io.

When I click view certificate, I see that the GoDaddy certificate is valid (screenshot attached).

The validity dates don’t change when a certificate is revoked (the certificate is essentially immutable). But the Browser is showing the certificate is not trusted. This is probably following an OCSP check. The cert was revoked.

1 Like

Got it thanks. I now understand the difference. Following up at our end with this information.

More observations and questions. In the GoDaddy certificate, all the websites listed as alternate names are available as I write this. There is a secure connection to all of the listed websites without any ERR_CERT_REVOKED errors. Specifically, developer.bill.com has a revoked certificate.

I learned from readme.io that an older Cloudflare certificate may have had developer.bill.com listed and when readme.io set up a certificate for the website, it is likely being overwritten by the older certificate. Can Cloudflare assist with clearing this older certificate?

1 Like

This issue is now resolved and can be closed

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.