I just upgraded our web server with a renewed cert as our current cert expires later this week. When I browse to our site via FF it is throwing this error:
Secure Connection Failed
An error occurred during a connection to www.rivworks.com.
Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)
* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
When I try IE (v6 - v8) I do not get this error. I've searched this site, Bing and Google and am not finding a solution for this. If I had long hair I'd be pulling it out!
Any help is appreciated!
ADDITIONAL INFO:
After working the search engines over I have come to conclude this is a problem in FF and not with my cert. My cert issuer has been going through it with a fine tooth comb and every thing they can do shows all of my cert chain is in working order. FF just hates a renewed cert!
The one (and only one) link I got for a possible fix is here: http://www.wallpaperama.com/forums/firefox-error-code-sec-error-revoked-certificate-t7301.html. This leads to the solution this guy came up with here: http://www.wallpaperama.com/forums/installing-ssl-certificate-in-a-godaddy-dedicated-server-with-ispconfig-t7300.html. Unfortunately - it is for a UNIX server and I don't know how to translate UNIX to WINDOWS SERVER 2003.
Any help?
-
Browsers have options that will check for certificate revocation, and this check is most likely turned off for you in IE while enabled in FF. The option in IE is in Internet Options on the Advanced tab under the Security Heading - "Check for server certificate revocation)". Look to see if that's enabled on your browser. If not, check it and restart IE and you should start seeing IE tell you the same thing.
Just a thought, but check to see what the beginning date is that the certificate is valid. If it's some time in the future you should put your old cert back on the server.
Keith Barrows : the cert is valid 9/22/2009 - 9/24/2012. We are past the 22nd so this should not be the problem.squillman : Ok. Well, it's on a revocation list for whatever reason. I would check with the provider to see what's going on there.Keith Barrows : Thanks man - on hold with the cert issuer :(Keith Barrows : So, GoDaddy came back with an answer of "It's something wrong with Mozilla (FF)". They said my cert chain looked fine. :'(From squillman -
Have you looked at the cert in FF or IE to see if you can get any clue as to what's wrong? Could it be that the certificate chain is broken because an intermediate certificate is no longer valid?
Keith Barrows : I'm not sure how to do this. When I look in FF/IE I can see the issuer and that it is valid for SSL (etc) but I do not see a chain/tree of certs.joeqwerty : In IE, select to view the certificate, then select the Certification Path tab. This will show you the chain, but I'm guessing it's going to look OK.Keith Barrows : Yep - In Safari, Chrome & IE the chain looks fine. Even GoDaddy looked at it and said it was fine (after fixing one intermediate cert problem I had on one server).joeqwerty : I'm not able to get to the site in IE. It doesn't give me the option to "Continue to this web site". I think that there's got to be something wrong with the cert or the cert chain. What's the possibility of temporarily removing the GoDaddy cert and trying a self-signed cert, a free commercial cert, or a demo commercial cert as a test? If you can and the site works I think that would confirm that there's a problem with the GoDaddy cert or cert chain.Keith Barrows : After spending a couple of hours on the phone with various terminals at GoDaddy this is what we did to resolve this issue. (1) Delete all cert instances via IIS (it is a wild carded cert and was applied to several web sites and web services). (2) Generate a new CSR via IIS6. (3) Use the CSR text to ReKey the cert at certs.GoDaddy.com. (4) Download the new cert. (5) Cont the install in IIS6. (6) On the other sites, use an already installed cert (several showed up!) and make sure it was the current request.
The site is now working correctly.Keith Barrows : The key to the whole excercise was when GoDaddy tech support had me ReKey the cert yesterday the Serial Number/Version went out of sync between my local cert and the Root Authority (GoDaddy).joeqwerty : Glad you got it worked out. That was one I had not seen before so I'll have to remember it for the future.squillman : Yah, good to have this one documented!Keith Barrows : After badgering GoDaddy they finally came up with a solution. In a nutshell, delete all certs and reinstall on one server. Once installed, export from that server and import on the other servers. When we did this with the new, unexpired cert the first time, the certs picked up the old root. While it was reporting as a good chain, in fact it was not.joeqwerty : Glad to hear that you got it fixed. thanks for the update.From joeqwerty -
I have had this problem too. To get around it in FireFox, you need to do the following:
Tools > Options > Advanced > Encryption > Validation > Disable OCSP.As to why your certificate is on that list, I've no idea, but I had the same problem with our mail server, and is still currently unresolved.
Keith Barrows : Unfortunately I cannot ask every person in the world that may hit our site to do this. I'm leaning towards a mismatched intermediate cert right now. Will post the solution once I find it.Farseeker : true, but if it's an internal site you canKeith Barrows : Did turn out to be a mismatch in version/serial number on the cert. (See above for the answer I chose as the closet.)From Farseeker
0 comments:
Post a Comment