---
id: 16c072f5-dfed-47d5-8540-9a95c5681396
---

# SSL Certificate Revocation
---

An SSL Certificate Revocation incident refers to an event where the SSL certificate for a particular instance is found to be revoked or invalid. This can cause security issues and disrupt the availability of the service, as clients may not be able to establish a secure connection with the instance. Resolving this incident typically involves renewing or replacing the SSL certificate for the affected instance.

### Parameters
```shell
export PORT="PLACEHOLDER"

export INSTANCE="PLACEHOLDER"

export CERTIFICATE_FILE="PLACEHOLDER"

export PATH_TO_CA_BUNDLE_FILE="PLACEHOLDER"

export NAME_OF_SSL_CERTIFICATE_AUTHORITY="PLACEHOLDER"

export CERTIFICATE_NAME="PLACEHOLDER"
```

## Debug

### Check the SSL certificate status of an instance
```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2
```

### Check the SSL certificate validity period
```shell
openssl x509 -in ${CERTIFICATE_FILE} -noout -dates
```

### Check the SSL certificate issuer
```shell
openssl x509 -in ${CERTIFICATE_FILE} -noout -issuer
```

### Check the SSL certificate subject
```shell
openssl x509 -in ${CERTIFICATE_FILE} -noout -subject
```

### Check the SSL certificate chain
```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -showcerts
```

### Check the SSL/TLS protocol version
```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -msg
```

### Check the SSL/TLS handshake process
```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -state -debug
```

### Check the SSL/TLS cipher suite
```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -cipher
```

### Check the SSL/TLS certificate revocation status
```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -crlf -status
```

### The SSL certificate for the instance expired and was not renewed in a timely manner.
```shell


#!/bin/bash



# Define instance and certificate variables

INSTANCE=${INSTANCE}

CERTIFICATE=${CERTIFICATE_FILE}



# Check if certificate has expired

if openssl x509 -checkend 0 -noout -in $CERTIFICATE; then

    echo "Certificate for $INSTANCE has not expired."

else

    echo "Certificate for $INSTANCE has expired."

fi


```

### The SSL certificate was issued by an untrusted or compromised certificate authority.
```shell


#!/bin/bash



# Define variables

INSTANCE=${INSTANCE}

CERT_FILE=${CERTIFICATE_FILE}

CERT_AUTHORITY=${NAME_OF_SSL_CERTIFICATE_AUTHORITY}



# Check if certificate is valid

openssl verify -CAfile ${PATH_TO_CA_BUNDLE_FILE} $CERT_FILE



# Check if certificate was issued by trusted authority

openssl x509 -noout -issuer $CERT_FILE | grep -q $CERT_AUTHORITY

if [ $? -ne 0 ]; then

    echo "Certificate was not issued by trusted authority: $CERT_AUTHORITY"

    exit 1

fi



echo "Certificate is valid and was issued by trusted authority: $CERT_AUTHORITY"

exit 0


```

## Repair

### Renew the SSL certificate: The first step to resolving an SSL certificate revocation incident is to renew the certificate. This typically involves generating a new certificate signing request (CSR), submitting it to a certificate authority (CA), and then installing the new certificate on the affected instance.
```shell
#!/bin/bash

# Use certbot to renew certificate
certbot renew --cert-name "$CERTIFICATE_NAME"
```

An SSL Certificate Revocation incident refers to an event where the SSL certificate for a particular instance is found to be revoked or invalid. This can cause security issues and disrupt the availability of the service, as clients may not be able to establish a secure connection with the instance. Resolving this incident typically involves renewing or replacing the SSL certificate for the affected instance.


This incident type usually occurs when there is a failure in the SSL Handshake process between a client and server running on a Tomcat web server. This can happen for various reasons such as incorrect SSL certificate configuration, cipher suite mismatches, or network connectivity issues. When this type of incident is not resolved quickly, it can lead to downtime or service disruptions for users trying to access the affected service.


Tomcat SSL Handshake Failure Incident

This incident type refers to an issue with Redis replication, which means that there is a problem with the synchronization of data between Redis instances. This issue could impact the availability and performance of the system and may require immediate attention to restore the replication and ensure data consistency. The incident could be caused by various factors, such as network problems, hardware failures, or configuration issues. The incident must be investigated and resolved as soon as possible to avoid any data loss or downtime.


Redis replication broken incident.

This incident type refers to a situation where Redis, a popular in-memory data structure store, has rejected connections. This could happen due to various reasons such as server overload, network issues, or misconfiguration. When this occurs, it can cause disruptions in the performance of applications that rely on Redis for data storage or caching. Thus, it requires immediate attention and resolution to minimize the impact on the applications and users.


Redis Rejected Connections Incident

A Redis instance down incident refers to a situation where the Redis server, which is a popular open-source in-memory data structure store, is not functioning or accessible. This can cause interruption in the service and impact the performance of applications that rely on Redis for caching or data storage. Typically, this type of incident is considered high urgency and requires immediate attention from the responsible team to investigate, diagnose, and resolve the issue.


Redis instance down incident

This incident type refers to the restart of a MySQL instance that has caused an alert to trigger. It may be related to issues with the MySQL database or the server hosting the instance. The incident requires investigation and resolution to ensure the proper functioning of the affected services.


MySQL instance restart incident

```shell
export PORT="PLACEHOLDER"

export INSTANCE="PLACEHOLDER"

export CERTIFICATE_FILE="PLACEHOLDER"

export PATH_TO_CA_BUNDLE_FILE="PLACEHOLDER"

export NAME_OF_SSL_CERTIFICATE_AUTHORITY="PLACEHOLDER"

export CERTIFICATE_NAME="PLACEHOLDER"
```


### Check the SSL certificate status of an instance

```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2
```

### Check the SSL certificate validity period

```shell
openssl x509 -in ${CERTIFICATE_FILE} -noout -dates
```

### Check the SSL certificate issuer

```shell
openssl x509 -in ${CERTIFICATE_FILE} -noout -issuer
```

### Check the SSL certificate subject

```shell
openssl x509 -in ${CERTIFICATE_FILE} -noout -subject
```

### Check the SSL certificate chain

```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -showcerts
```

### Check the SSL/TLS protocol version

```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -msg
```

### Check the SSL/TLS handshake process

```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -state -debug
```

### Check the SSL/TLS cipher suite

```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -cipher
```

### Check the SSL/TLS certificate revocation status

```shell
openssl s_client -connect ${INSTANCE}:${PORT} -tls1_2 -crlf -status
```

### The SSL certificate for the instance expired and was not renewed in a timely manner.

```shell


#!/bin/bash



# Define instance and certificate variables

INSTANCE=${INSTANCE}

CERTIFICATE=${CERTIFICATE_FILE}



# Check if certificate has expired

if openssl x509 -checkend 0 -noout -in $CERTIFICATE; then

    echo "Certificate for $INSTANCE has not expired."

else

    echo "Certificate for $INSTANCE has expired."

fi


```

### The SSL certificate was issued by an untrusted or compromised certificate authority.

```shell


#!/bin/bash



# Define variables

INSTANCE=${INSTANCE}

CERT_FILE=${CERTIFICATE_FILE}

CERT_AUTHORITY=${NAME_OF_SSL_CERTIFICATE_AUTHORITY}



# Check if certificate is valid

openssl verify -CAfile ${PATH_TO_CA_BUNDLE_FILE} $CERT_FILE



# Check if certificate was issued by trusted authority

openssl x509 -noout -issuer $CERT_FILE | grep -q $CERT_AUTHORITY

if [ $? -ne 0 ]; then

    echo "Certificate was not issued by trusted authority: $CERT_AUTHORITY"

    exit 1

fi



echo "Certificate is valid and was issued by trusted authority: $CERT_AUTHORITY"

exit 0


```


### Renew the SSL certificate: The first step to resolving an SSL certificate revocation incident is to renew the certificate. This typically involves generating a new certificate signing request (CSR), submitting it to a certificate authority (CA), and then installing the new certificate on the affected instance.

```shell
#!/bin/bash

# Use certbot to renew certificate
certbot renew --cert-name "$CERTIFICATE_NAME"
```


SSL Certificate Revocation

Overview

Parameters

Debug

Check the SSL certificate status of an instance

Check the SSL certificate validity period

Check the SSL certificate issuer

Check the SSL certificate subject

Check the SSL certificate chain

Check the SSL/TLS protocol version

Check the SSL/TLS handshake process

Check the SSL/TLS cipher suite

Check the SSL/TLS certificate revocation status

The SSL certificate for the instance expired and was not renewed in a timely manner.

The SSL certificate was issued by an untrusted or compromised certificate authority.

Repair

Learn more

Related Runbooks

Tomcat SSL Handshake Failure Incident

Redis replication broken incident.

Redis Rejected Connections Incident

Redis instance down incident

Support