Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

False Positive SSL “Peer's Certificate Has Been Revoked” on Firefox Only

Posted on 2011-09-11
10
1,417 Views
Last Modified: 2012-05-12
One of my client's is having a problem that is vexing both their system admin and godaddy support, who say that everything is correct and this error should not be happening.  Their SSL certificate is valid and seems to be correctly installed:

http://www.sslshopper.com/ssl-checker.html#hostname=moocho.com

It also works find on IE and Chrome.  However, on firefox users are getting this error (firefox 7 users seem to get the error on every single page load):

 divmn.jpg

Relevant History: Last week (about 7-10 days ago) they were using a different certificate that *was* revoked.  However, they received a new SSL Cert on 9/5 or 9/6, and this is the one that is currently installed.  

I think this might have something to do with the OCSP service that firefox uses to check certificate authenticity.  Could that service have cached data from when the old cert was revoked, and hence still be reporting that moocho.com has a revoked cert?  If so, is there any way to fix this problem?  

If not, what is causing this error?

Thanks!
0
Comment
Question by:Jonah11
  • 5
  • 5
10 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36519497
It only works in IE on this computer (windows XP SP3).  Firefox, Chrome, Safari and Opera all say it has been revoked.  Check to see if the server is only responding to SSL2 for some reason.  Firefox and the others only use SSL3 and TLS1 now although I do have IE set to use SSL3 and TLS1 and not SSL2.

And you checked the wrong name, should have been "moochomoocho.com" though that checks OK too.  http://www.sslshopper.com/ssl-checker.html#hostname=moochomoocho.com
0
 
LVL 7

Author Comment

by:Jonah11
ID: 36519691
Dave,

Tyvm for the response.  You say: " Check to see if the server is only responding to SSL2 for some reason."

How do I perform this check?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36519774
Ignore that, I have IE set for SSL3 and TLS1 also so that isn't it.  It could be something about the OCSP and a delay for the info to propagate.  Seems like everything gets cached these days and I don't how to uncache that one.  The OCSP path in the certificate does lead back to one of two sites on Godaddy.  You can view the details in IE by clicking on the 'lock' in the address bar.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 7

Author Comment

by:Jonah11
ID: 36520024
Dave,

I see the certificate in ie as you said by clicking on the lock, but what am I supposed to do with that info?

Thanks.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36520117
Ask Godaddy about the two server options there and whether the verification on their OCSP server has been updated for the cert that is not out of date.  I say that because it maybe that IE uses one server and the others use the other server.

Under Encryption in Firefox Options, if you click on Validate, the default option is to use the OCSP server listed in the certificate.  And the Godaddy servers are listed in that Godaddy certificate.  It keeps pointing back to being their problem one way or another.  I couldn't find a method in Chrome.
0
 
LVL 7

Author Comment

by:Jonah11
ID: 36520159
Which are the 2 server options you are referring to.  I see this when clicking on the lock:

http://i.imgur.com/fARKs.png

Thanks,
Jonah
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 36520398
You didn't look far enough.  The servers for OCSP are listed like this:
moocho-cert.jpg
0
 
LVL 7

Assisted Solution

by:Jonah11
Jonah11 earned 0 total points
ID: 36544723
Well, finally figured it out.  Turns out we were serving the .ICO url icon from our old server, and that was the cause of the error.  

Thanks for your help Dave
0
 
LVL 7

Author Closing Comment

by:Jonah11
ID: 36565468
Turns out was a stupid error on our part
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36544793
You're welcome, them little things will get you.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question