凌晨时分突然发现我站的域名证书出现ERROR_INTERNET_SEC_CERT_REVOKED的错误代码,刚开始以为是同一天内签发太多次(3次)证书触发风控而被吊销,亦或者是签发了新的证书的时候给我这快到期的证书给吊销了。
让我感到疑惑的地方就是,同样是在1号那天申请的域名证书,另外一个域名同样在没有替换成续签后的证书的前提下却没有问题。看到这里我不禁疑惑一下难道是域名后缀的区别?
为了验证自己的疑惑特前往crt官网查看域名的日志,翻取到这即将过期的证书的日志是赫然看到CRL、OCSP的状态都变成了Revoked (superseded)这一吊销状态,特别是后面的被取代还以为是申请了新的证书的原因。
最后几经查看签发日志发现,我在1号那天所申请的三个域名的SSL证书都处于吊销状态,此时此刻我心里不由得嘀咕难道是触发阈值被批量吊销了?疑惑之下还是打开邮箱看看有没有什么头绪,于是乎就看到如下的邮件:
于2026年3月31日凌晨3点17收到主题为
Important update regarding SSL’s root migration的邮件,内容如下:Service Announcement
Important Update: Root MigrationSSL is migrating certificate issuance from our 2016 roots to our 2022 roots. This is a phased transition beginning with SSL/TLS before shifting to all certificate types. If your certificates handle standard HTTPS server authentication, no action is needed. However, if your infrastructure relies on 2016 root trust directly, review your options now:
- If you have pinned trust anchors, custom trust stores, or certificate validation logic tied to the 2016 roots, please audit those configurations promptly to avoid disruptions.
- Use cross-certificates. If you need backward compatibility with the 2016 root hierarchy during the transition, cross-certificates can bridge the gap.
- Migrate to dedicated Client Certificates. These are purpose-built for client authentication and are unaffected by Google Chrome’s upcoming server authentication requirements, which impact SSL/TLS certificates with the ClientAuth EKU.
看到这个就觉得我是在4月1号申请的,而邮件是3月31号收到的,按理说应该是能支持签发出正确的证书链的证书才对的。可问题就是貌似在上个阶段时的证书就已经是2022的中间证书的了,关键是这次也是在后面才签发的,因此满脑都是疑惑……在一封一封的查看所有未读邮件后看到新的邮件:
于2026年4月3日凌晨5点22收到主题为
Important: Revocation Notice Affecting Your ACME TLS Certificate(s)的邮件,内容如下:Important: Revocation Notice Affecting Your ACME TLS Certificate(s)
Dear Subscriber,
We are writing to inform you of an important update regarding your ACME TLS certificate(s).
As part of our ongoing commitment to regulatory and compliance requirements, we have identified that your ACME TLS certificate(s) does not meet one or more required baseline compliance criteria. As a result, your ACME TLS certificate(s) will be revoked no later than April 3, 2026, 4:04 PM UTC.
We understand this may be unexpected and appreciate your attention to this matter.
Next steps:
A patch has been deployed, and you may proceed with requesting a new replacement certificate at this time. Any certificates you may have issued after April 2, 2026, 5:00 PM UTC are not affected and will not be revoked as part of this patch.We appreciate your understanding and cooperation as we maintain compliance standards with the Baseline Requirements.
所以三个域名都被吊销的原因难道就是替换的时候出现问题而批量吊销的?强迫症所致打算到一个好的日期再续签试试。
ChiuYut
2026年04月05日