5

I just upgraded our web server with a renewed cert as our current cert expires later this week. When I browse to our site via FF it is throwing this error:

Secure Connection Failed 
An error occurred during a connection to www.rivworks.com. 
Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)
            *   The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
            *   Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

When I try IE (v6 - v8) I do not get this error. I've searched this site, Bing and Google and am not finding a solution for this. If I had long hair I'd be pulling it out!

Any help is appreciated!

ADDITIONAL INFO:
After working the search engines over I have come to conclude this is a problem in FF and not with my cert. My cert issuer has been going through it with a fine tooth comb and every thing they can do shows all of my cert chain is in working order. FF just hates a renewed cert!

The one (and only one) link I got for a possible fix is here: http://www.wallpaperama.com/forums/firefox-error-code-sec-error-revoked-certificate-t7301.html. This leads to the solution this guy came up with here: http://www.wallpaperama.com/forums/installing-ssl-certificate-in-a-godaddy-dedicated-server-with-ispconfig-t7300.html. Unfortunately - it is for a UNIX server and I don't know how to translate UNIX to WINDOWS SERVER 2003.

Any help?

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
Keith Barrows
  • 309
  • 1
  • 3
  • 15
  • In response to your edit: the thing is that I can replicate the problem in FF, IE and Chrome (haven't tried Safari or Konqueror) using https://www.rivworks.com. All three of them balk at it when set to check revocation lists... – squillman Sep 23 '09 at 23:39
  • @squillman is correct. this is not just a FF issue. When the solution is to have your users change a security settings in their browser, there's a problem with your source. – dr. Oct 20 '09 at 14:58

5 Answers5

3

Have you looked at the cert in FF or IE to see if you can get any clue as to what's wrong? Could it be that the certificate chain is broken because an intermediate certificate is no longer valid?

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • I'm not sure how to do this. When I look in FF/IE I can see the issuer and that it is valid for SSL (etc) but I do not see a chain/tree of certs. – Keith Barrows Sep 23 '09 at 21:14
  • In IE, select to view the certificate, then select the Certification Path tab. This will show you the chain, but I'm guessing it's going to look OK. – joeqwerty Sep 23 '09 at 21:17
  • Yep - In Safari, Chrome & IE the chain looks fine. Even GoDaddy looked at it and said it was fine (after fixing one intermediate cert problem I had on one server). – Keith Barrows Sep 23 '09 at 23:09
  • I'm not able to get to the site in IE. It doesn't give me the option to "Continue to this web site". I think that there's got to be something wrong with the cert or the cert chain. What's the possibility of temporarily removing the GoDaddy cert and trying a self-signed cert, a free commercial cert, or a demo commercial cert as a test? If you can and the site works I think that would confirm that there's a problem with the GoDaddy cert or cert chain. – joeqwerty Sep 24 '09 at 03:44
  • After spending a couple of hours on the phone with various terminals at GoDaddy this is what we did to resolve this issue. (1) Delete all cert instances via IIS (it is a wild carded cert and was applied to several web sites and web services). (2) Generate a new CSR via IIS6. (3) Use the CSR text to ReKey the cert at certs.GoDaddy.com. (4) Download the new cert. (5) Cont the install in IIS6. (6) On the other sites, use an already installed cert (several showed up!) and make sure it was the current request.

    The site is now working correctly.     – Keith Barrows Sep 24 '09 at 19:15
  • The key to the whole excercise was when GoDaddy tech support had me ReKey the cert yesterday the Serial Number/Version went out of sync between my local cert and the Root Authority (GoDaddy). – Keith Barrows Sep 24 '09 at 19:16
  • Glad you got it worked out. That was one I had not seen before so I'll have to remember it for the future. – joeqwerty Sep 24 '09 at 19:19
  • Yah, good to have this one documented! – squillman Sep 24 '09 at 19:47
  • After badgering GoDaddy they finally came up with a solution. In a nutshell, delete all certs and reinstall on one server. Once installed, export from that server and import on the other servers. When we did this with the new, unexpired cert the first time, the certs picked up the old root. While it was reporting as a good chain, in fact it was not. – Keith Barrows Oct 23 '09 at 15:39
  • Glad to hear that you got it fixed. thanks for the update. – joeqwerty Oct 23 '09 at 16:14
2

Solution on other sites regarding uncheck OSCP query on browsers (firefox in options or certificate settings to uncheck OSCP query option) doesn't seems right solution. OSCP (Online Certificate Status Protocol) is internet protocol used for obtaining the revocation status of your digital certificate. See details here

If OSCP response doesn't confirm certificate is OK, Browser will show Error such as sec_error_revoked_certificate . Better to check broken chain of certificate installed or its validity.

AHashmi
  • 131
  • 1
0

Browsers have options that will check for certificate revocation, and this check is most likely turned off for you in IE while enabled in FF. The option in IE is in Internet Options on the Advanced tab under the Security Heading - "Check for server certificate revocation)". Look to see if that's enabled on your browser. If not, check it and restart IE and you should start seeing IE tell you the same thing.

Just a thought, but check to see what the beginning date is that the certificate is valid. If it's some time in the future you should put your old cert back on the server.

squillman
  • 37,618
  • 10
  • 90
  • 145
0

I have had this problem too. To get around it in FireFox, you need to do the following:

Tools > Options > Advanced > Encryption > Validation > Disable OCSP.

As to why your certificate is on that list, I've no idea, but I had the same problem with our mail server, and is still currently unresolved.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 1
    Unfortunately I cannot ask every person in the world that may hit our site to do this. I'm leaning towards a mismatched intermediate cert right now. Will post the solution once I find it. – Keith Barrows Sep 23 '09 at 21:45
  • true, but if it's an internal site you can – Mark Henderson Sep 24 '09 at 00:29
  • Did turn out to be a mismatch in version/serial number on the cert. (See above for the answer I chose as the closet.) – Keith Barrows Sep 24 '09 at 18:58
  • That is some very bad advice Mark. The equivalent would be a retailer who keeps trying a customer's credit card and getting a rejection and you suggesting "turn off validation checking" as a fix. Yikes! – Ram Sep 17 '11 at 16:40
  • @Ram - whilst it might be bad advice, it *is* a workaround. Additionally, you should not flag answers just because they're "wrong" - just give a downvote, leave a comment, and move on. – Mark Henderson Sep 17 '11 at 22:57
  • @Mark - no offense intended - it is indeed a work around but not something folks finding this question and answer should use. I flagged for moderator review as I don't have the reputation to down rate it and yet it really really should be down rated. – Ram Sep 18 '11 at 00:41
  • While technically correct, this answer is dangerous. OCSP exists for a reason, and disabling it will lower the security for all websites accessed by Firefox. – Daniel Serodio Sep 22 '17 at 18:28
0

I ran into this error and the reason was that major browsers have clamped down on CAs (Certificate Authorities) behaving badly.
The root certs of WoSign/StartCom and even some Symantec root certs have been revoked.

Annoyingly, looking at the cert didn't give me a clue as to what was wrong.

WHO's NoToOldRx4CovidIsMurder
  • 117
  • 5