Solved

False Positive SSL “Peer's Certificate Has Been Revoked” on Firefox Only

Posted on 2011-09-11
10
1,421 Views
Last Modified: 2012-05-12
One of my client's is having a problem that is vexing both their system admin and godaddy support, who say that everything is correct and this error should not be happening.  Their SSL certificate is valid and seems to be correctly installed:

http://www.sslshopper.com/ssl-checker.html#hostname=moocho.com

It also works find on IE and Chrome.  However, on firefox users are getting this error (firefox 7 users seem to get the error on every single page load):

 divmn.jpg

Relevant History: Last week (about 7-10 days ago) they were using a different certificate that *was* revoked.  However, they received a new SSL Cert on 9/5 or 9/6, and this is the one that is currently installed.  

I think this might have something to do with the OCSP service that firefox uses to check certificate authenticity.  Could that service have cached data from when the old cert was revoked, and hence still be reporting that moocho.com has a revoked cert?  If so, is there any way to fix this problem?  

If not, what is causing this error?

Thanks!
0
Comment
Question by:Jonah11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36519497
It only works in IE on this computer (windows XP SP3).  Firefox, Chrome, Safari and Opera all say it has been revoked.  Check to see if the server is only responding to SSL2 for some reason.  Firefox and the others only use SSL3 and TLS1 now although I do have IE set to use SSL3 and TLS1 and not SSL2.

And you checked the wrong name, should have been "moochomoocho.com" though that checks OK too.  http://www.sslshopper.com/ssl-checker.html#hostname=moochomoocho.com
0
 
LVL 7

Author Comment

by:Jonah11
ID: 36519691
Dave,

Tyvm for the response.  You say: " Check to see if the server is only responding to SSL2 for some reason."

How do I perform this check?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36519774
Ignore that, I have IE set for SSL3 and TLS1 also so that isn't it.  It could be something about the OCSP and a delay for the info to propagate.  Seems like everything gets cached these days and I don't how to uncache that one.  The OCSP path in the certificate does lead back to one of two sites on Godaddy.  You can view the details in IE by clicking on the 'lock' in the address bar.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 7

Author Comment

by:Jonah11
ID: 36520024
Dave,

I see the certificate in ie as you said by clicking on the lock, but what am I supposed to do with that info?

Thanks.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36520117
Ask Godaddy about the two server options there and whether the verification on their OCSP server has been updated for the cert that is not out of date.  I say that because it maybe that IE uses one server and the others use the other server.

Under Encryption in Firefox Options, if you click on Validate, the default option is to use the OCSP server listed in the certificate.  And the Godaddy servers are listed in that Godaddy certificate.  It keeps pointing back to being their problem one way or another.  I couldn't find a method in Chrome.
0
 
LVL 7

Author Comment

by:Jonah11
ID: 36520159
Which are the 2 server options you are referring to.  I see this when clicking on the lock:

http://i.imgur.com/fARKs.png

Thanks,
Jonah
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 36520398
You didn't look far enough.  The servers for OCSP are listed like this:
moocho-cert.jpg
0
 
LVL 7

Assisted Solution

by:Jonah11
Jonah11 earned 0 total points
ID: 36544723
Well, finally figured it out.  Turns out we were serving the .ICO url icon from our old server, and that was the cause of the error.  

Thanks for your help Dave
0
 
LVL 7

Author Closing Comment

by:Jonah11
ID: 36565468
Turns out was a stupid error on our part
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36544793
You're welcome, them little things will get you.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question