revoked.badssl.com no longer triggering revoked error across most browsers after renewal

[greyivy]

I tested revoked.badssl.com on major browsers on Windows and macOS and the only browser that's giving me a SEC_ERROR_REVOKED_CERTIFICATE is Firefox on macOS. This was working across other browsers before the certificate was recently renewed.

Does anyone know why this is?

[christhompson]

I'm in the process of migrating the certificate for revoked.badssl.com to Lets Encrypt so that we can include it in our automated certificate renewal process. This means that it will no longer be manually added to Chrome's certificate blocklist (as I had done previously, but proved to be an impediment to keeping the certificate renewed), and instead only be included as a keyCompromise revocation in the CRL from Lets Encrypt. This will have some consequences across different browsers, depending on how they handle CRLs.

[christhompson]

The certificate for revoked.badssl.com is now handled via our automated renewals script. This means that it will be kept up to date automatically going forward (no more "expired cert" taking precedent over "revoked cert"), but it does mean that (at least in Chrome) there will be a delay between each renewal and when the browser knows that the cert is revoked.

I'll leave this open as a "Known Issue" though. It might be possible to "hold onto" the previous revoked cert at each renewal period for some time (e.g., 1 week) to allow CRL consumers to process the revocation, but I don't think I currently have a good idea for how to handle that without manual cut-over and busywork which I want to avoid :-)