• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1451
  • Last Modified:

False Positive SSL “Peer's Certificate Has Been Revoked” on Firefox Only

One of my client's is having a problem that is vexing both their system admin and godaddy support, who say that everything is correct and this error should not be happening.  Their SSL certificate is valid and seems to be correctly installed:

http://www.sslshopper.com/ssl-checker.html#hostname=moocho.com

It also works find on IE and Chrome.  However, on firefox users are getting this error (firefox 7 users seem to get the error on every single page load):

 divmn.jpg

Relevant History: Last week (about 7-10 days ago) they were using a different certificate that *was* revoked.  However, they received a new SSL Cert on 9/5 or 9/6, and this is the one that is currently installed.  

I think this might have something to do with the OCSP service that firefox uses to check certificate authenticity.  Could that service have cached data from when the old cert was revoked, and hence still be reporting that moocho.com has a revoked cert?  If so, is there any way to fix this problem?  

If not, what is causing this error?

Thanks!
0
Jonah11
Asked:
Jonah11
  • 5
  • 5
2 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
It only works in IE on this computer (windows XP SP3).  Firefox, Chrome, Safari and Opera all say it has been revoked.  Check to see if the server is only responding to SSL2 for some reason.  Firefox and the others only use SSL3 and TLS1 now although I do have IE set to use SSL3 and TLS1 and not SSL2.

And you checked the wrong name, should have been "moochomoocho.com" though that checks OK too.  http://www.sslshopper.com/ssl-checker.html#hostname=moochomoocho.com
0
 
Jonah11Author Commented:
Dave,

Tyvm for the response.  You say: " Check to see if the server is only responding to SSL2 for some reason."

How do I perform this check?
0
 
Dave BaldwinFixer of ProblemsCommented:
Ignore that, I have IE set for SSL3 and TLS1 also so that isn't it.  It could be something about the OCSP and a delay for the info to propagate.  Seems like everything gets cached these days and I don't how to uncache that one.  The OCSP path in the certificate does lead back to one of two sites on Godaddy.  You can view the details in IE by clicking on the 'lock' in the address bar.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Jonah11Author Commented:
Dave,

I see the certificate in ie as you said by clicking on the lock, but what am I supposed to do with that info?

Thanks.
0
 
Dave BaldwinFixer of ProblemsCommented:
Ask Godaddy about the two server options there and whether the verification on their OCSP server has been updated for the cert that is not out of date.  I say that because it maybe that IE uses one server and the others use the other server.

Under Encryption in Firefox Options, if you click on Validate, the default option is to use the OCSP server listed in the certificate.  And the Godaddy servers are listed in that Godaddy certificate.  It keeps pointing back to being their problem one way or another.  I couldn't find a method in Chrome.
0
 
Jonah11Author Commented:
Which are the 2 server options you are referring to.  I see this when clicking on the lock:

http://i.imgur.com/fARKs.png

Thanks,
Jonah
0
 
Dave BaldwinFixer of ProblemsCommented:
You didn't look far enough.  The servers for OCSP are listed like this:
moocho-cert.jpg
0
 
Jonah11Author Commented:
Well, finally figured it out.  Turns out we were serving the .ICO url icon from our old server, and that was the cause of the error.  

Thanks for your help Dave
0
 
Jonah11Author Commented:
Turns out was a stupid error on our part
0
 
Dave BaldwinFixer of ProblemsCommented:
You're welcome, them little things will get you.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now