ErrorNotes

How to Fix the NET::ERR_CERT_REVOKED Error (Server & Client Side)

intermediate๐Ÿ”’ SSL/TLS2026-04-26| Web Browsers (Chrome, Edge, Brave), Windows, macOS, Linux, Nginx, Apache

Error Message

NET::ERR_CERT_REVOKED
#ssl#tls#security#devops#chrome#nginx

What is the NET::ERR_CERT_REVOKED Error?

Most SSL errors happen because a certificate expired. The NET::ERR_CERT_REVOKED error is different and more serious. It means the Certificate Authority (CA) actively cancelled the certificate before its scheduled expiration date. Think of it like a reported stolen credit card; the bank (the CA) tells merchants (browsers) not to accept it anymore.

Browsers like Chrome and Edge are strict about this. They will block the connection entirely to prevent potential data theft. If a CA revokes a certificate, it usually means the site's security is no longer guaranteed.

Why Certificates Get Revoked

  • Private Key Compromise: This is the most common reason. If a private key is accidentally uploaded to a public GitHub repository or leaked during a server breach, the owner must revoke the certificate immediately.
  • Domain Ownership Changes: If you sell your domain, the CA may revoke the old certificate to prevent the previous owner from intercepting traffic.
  • Inaccurate Issuance: Sometimes CAs realize they issued a certificate to the wrong person or failed to follow industry standards. In 2020, for example, Let's Encrypt had to revoke millions of certificates due to a bug in their verification code.
  • DNS and OCSP Failures: Local network issues sometimes stop your browser from reaching the Online Certificate Status Protocol (OCSP) server. When the browser can't verify the status, it might default to a revoked error.

Solutions for Website Owners and Admins

If your site is showing this error, your visitors are seeing a massive security warning. Client-side hacks won't fix this for them. You need to replace the certificate at the source.

1. Force a Certificate Renewal

The fastest fix is to generate a brand-new certificate. If you use Let's Encrypt, don't wait for the auto-renewal. Force it now using Certbot:

sudo certbot renew --force-renewal

For commercial providers like DigiCert or Namecheap, you'll need to "Reissue" the certificate through their dashboard. This process requires a new Certificate Signing Request (CSR).

# Create a fresh 2048-bit RSA key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

2. Update Your Server Config

After receiving your new files, point your web server to the fresh .crt and .key files. Forgetting to update the paths is a common mistake that keeps the old, revoked certificate active.

Nginx configuration:

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

Apply the changes by reloading the service:

sudo systemctl reload nginx

Solutions for Users and Developers

If you see this error on major sites like Google or Amazon, the problem is likely on your end. Try these steps to clear local conflicts.

1. Fix Your System Clock

Encryption relies heavily on timestamps. If your computer thinks it is 2015 or 2030, it will fail to validate the certificate's revocation status. Even a five-minute discrepancy can cause issues.

  • Windows: Right-click the taskbar clock > Adjust date/time > Sync now.
  • macOS: System Settings > General > Date & Time > Toggle "Set time and date automatically."

2. Clear the SSL Cache

Windows stores certificate information in a local cache. If a certificate was revoked and then fixed, your OS might still be looking at the old status. Clearing the SSL state forces a fresh check.

  • Search for Internet Options in the Start menu.
  • Select the Content tab.
  • Click Clear SSL State.
  • Restart Chrome or Edge and try the site again.

3. Reset Your Network Configuration

Corrupt DNS settings can block your machine from talking to the Certificate Revocation List (CRL) servers. Resetting your network stack often clears the path.

# Windows (Run Command Prompt as Admin)
ipconfig /flushdns
netsh winsock reset

# macOS
sudo killall -HUP mDNSResponder

How to Verify the Fix

Don't just refresh the page. Browsers are notorious for caching errors. Use a terminal or a third-party tool to see what the server is actually sending.

Check via OpenSSL

Run this command to see the raw certificate details from your server:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Look for Verify return code: 0 (ok). If you see anything else, the server is still serving a bad certificate.

Use SSL Labs

The Qualys SSL Labs tool is the industry standard. Plug in your URL and wait for the scan. Check the "Revocation status" line; it should explicitly state "Good (not revoked)."

Proactive Prevention Tips

  • Enable OCSP Stapling: This allows your server to handle the revocation check for the user. It makes your site faster and prevents the browser from failing if it can't reach the CA's servers.
  • Lock Down Permissions: Set your private key permissions to chmod 600. Only the root user or the web server process should ever see this file.
  • Use Monitoring: Tools like UptimeRobot can monitor your SSL health. They will alert you the moment a certificate is revoked or expires, often before your users even notice.

Related Error Notes

Fixing NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: Moving Beyond SHA-1

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Fixing ERR_SSL_KEY_USAGE_INCOMPATIBLE in Chrome: A TLS 1.3 Guide

ERR_SSL_KEY_USAGE_INCOMPATIBLE

Fix SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE When Your Intermediate CA Has Expired

SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE