sfw/fix
ERR_CERT_REVOKED critical

NET::ERR_CERT_REVOKED

The issuing CA revoked this certificate before its expiry date, so the browser refuses the connection and offers no bypass.

What you see

Your connection is not private
Attackers might be trying to steal your information from example.com.
NET::ERR_CERT_REVOKED

What’s actually happening

Chrome blocks the site hard — on a revoked cert there's no 'proceed anyway' link the way there is for an expired or self-signed one. The CA marked this certificate as no-longer-valid through a CRL or OCSP, typically after a key compromise, a mis-issuance, or the cert owner asking for it. The cert may still be inside its validity dates, which confuses people who check the expiry and see it's 'fine'.

Common causes

  • Private key compromise — the key leaked (committed to a repo, stolen from a server) and the cert was revoked to kill it
  • The CA mis-issued the cert (wrong domain validation, baseline-requirements violation) and pulled it during a compliance sweep
  • The owner requested revocation after decommissioning a service or rotating to a new cert
  • Domain ownership changed and the previous holder's cert was revoked
  • Chrome's pushed CRLSet now lists the issuing intermediate, nuking every cert under it at once

How to fix it

  1. Verify the revocation, don't assumePull the cert and check OCSP: openssl s_client -connect host:443 2>/dev/null </dev/null | openssl x509 -out /tmp/c.pem, then openssl ocsp -issuer chain.pem -cert /tmp/c.pem -url <ocsp_uri> -text. A 'Cert Status: revoked' with a revocation time and reason confirms it. Note the reason code — keyCompromise changes how you respond.
  2. If a key was compromised, rotate the key — not just the certGenerate a brand-new private key and CSR. Reusing the old key on a new cert defeats the entire point of the revocation. openssl req -new -newkey rsa:2048 -nodes -keyout new.key -out new.csr.
  3. Reissue from the CA and installRequest a replacement against the new CSR. On Let's Encrypt, certbot renew --force-renewal (after fixing the key) or a fresh certonly. Deploy the new cert + chain and reload the server.
  4. Purge the old cert everywhere it's cachedReplace it on every origin, load balancer, and CDN edge. A stale revoked cert on one backend behind a LB will keep tripping the error for a slice of users while the others load fine.
  5. Find how the key leaked before you move onIf revocation was due to compromise, audit how: exposed .key in a web root, a key in git history, a breached host. Rotating the cert without closing the hole means you'll be back here.

Stop it recurring

Keep private keys out of version control and off world-readable paths, and scope key access tightly so a single leak doesn't force an emergency revocation.

Related errors

SEC_ERROR_OCSP_OLD_RESPONSE in Firefox

high

Firefox rejected a stapled OCSP response whose update window has already passed, so the cert's revocation status reads as stale.

MOZILLA_PKIX_ERROR_MITM_DETECTED in Firefox

high

Firefox saw a certificate signed by a root it doesn't trust and flagged the connection as intercepted by software or a proxy.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.