sfw/fix
ERR_CERT_REVOKED critical

NET::ERR_CERT_REVOKED (certificate revoked by the CA)

The CA has actively revoked this certificate via OCSP/CRL, so Chrome blocks it and no bypass will load the page.

What you see

Your connection is not private
NET::ERR_CERT_REVOKED
Attackers might be trying to steal your information from example.com

What’s actually happening

Hard block. Unlike most cert interstitials there's often no "Proceed anyway" link, and `thisisunsafe` won't get you through — Chrome refuses revoked certs by design. Affects every visitor whose Chrome has the revocation data (via CRLSets or a live OCSP response). A reissued cert is the only real fix; nothing client-side helps.

Common causes

  • The private key was compromised (or believed to be — e.g. leaked in a repo, a Heartbleed-class bug, a stolen server image) and the cert was revoked in response.
  • The CA mis-issued the cert (wrong domain validation, a CAA violation, an audit finding) and pulled it.
  • A mass CA revocation event swept the cert up — there have been incidents where CAs had to revoke thousands of certs within 24h for compliance reasons.
  • The domain owner or admin requested revocation, often after key rotation, and forgot the live server still serves the old cert.
  • Duplicate/superseded cert revoked during a reissue where the old one stayed deployed.

How to fix it

  1. Confirm it's genuinely revoked, not cachedPull the cert's serial: `echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -serial`. Then check the CA's OCSP responder with `openssl ocsp` (URL is in the cert's Authority Information Access). A "revoked" status confirms it. This rules out a transient OCSP outage being misread.
  2. Reissue a brand-new certificateRevocation is permanent for that cert — you can't un-revoke it. Generate a NEW key pair and CSR (do not reuse the old key, especially if compromise is suspected) and request a fresh cert from the CA. `certbot renew --force-renewal` works if your account is in good standing.
  3. Treat a compromised key as an incidentIf the key leaked: rotate it, deploy the new cert, then hunt down how it leaked — scrub it from git history (BFG / `git filter-repo`), rotate anything that shared the host, and audit access logs. Reissuing onto the same exposed key just gets you revoked again.
  4. Deploy and verify the replacement everywhereInstall the new cert on every origin, LB, and CDN edge. Re-check the serial with openssl against the public hostname to confirm the old revoked serial is gone. Clear `chrome://net-internals` cached state on your test machine if you still see the old one.
  5. If the CA revoked in error, open a ticketContact the CA with the serial and domain. Mis-revocations during compliance sweeps do happen; the CA can expedite a free reissue, but they will not reinstate the revoked serial.

Stop it recurring

Keep private keys out of version control and disk images, and rotate immediately on any suspicion rather than waiting for the CA to force it.

Related errors

NET::ERR_CERT_AUTHORITY_INVALID (untrusted / self-signed CA)

high

Chrome can't build a trust path from the site's certificate to a root it trusts, so it blocks the page.

NET::ERR_CERT_DATE_INVALID (expired or not-yet-valid certificate)

high

The device clock is outside the certificate's validity window, so Chrome treats the cert as expired or not yet valid.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.