?
Solved

False Positive SSL “Peer's Certificate Has Been Revoked” on Firefox Only

Posted on 2011-09-11
10
Medium Priority
?
1,437 Views
Last Modified: 2012-05-12
One of my client's is having a problem that is vexing both their system admin and godaddy support, who say that everything is correct and this error should not be happening.  Their SSL certificate is valid and seems to be correctly installed:

http://www.sslshopper.com/ssl-checker.html#hostname=moocho.com

It also works find on IE and Chrome.  However, on firefox users are getting this error (firefox 7 users seem to get the error on every single page load):

 divmn.jpg

Relevant History: Last week (about 7-10 days ago) they were using a different certificate that *was* revoked.  However, they received a new SSL Cert on 9/5 or 9/6, and this is the one that is currently installed.  

I think this might have something to do with the OCSP service that firefox uses to check certificate authenticity.  Could that service have cached data from when the old cert was revoked, and hence still be reporting that moocho.com has a revoked cert?  If so, is there any way to fix this problem?  

If not, what is causing this error?

Thanks!
0
Comment
Question by:Jonah11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36519497
It only works in IE on this computer (windows XP SP3).  Firefox, Chrome, Safari and Opera all say it has been revoked.  Check to see if the server is only responding to SSL2 for some reason.  Firefox and the others only use SSL3 and TLS1 now although I do have IE set to use SSL3 and TLS1 and not SSL2.

And you checked the wrong name, should have been "moochomoocho.com" though that checks OK too.  http://www.sslshopper.com/ssl-checker.html#hostname=moochomoocho.com
0
 
LVL 7

Author Comment

by:Jonah11
ID: 36519691
Dave,

Tyvm for the response.  You say: " Check to see if the server is only responding to SSL2 for some reason."

How do I perform this check?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36519774
Ignore that, I have IE set for SSL3 and TLS1 also so that isn't it.  It could be something about the OCSP and a delay for the info to propagate.  Seems like everything gets cached these days and I don't how to uncache that one.  The OCSP path in the certificate does lead back to one of two sites on Godaddy.  You can view the details in IE by clicking on the 'lock' in the address bar.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 7

Author Comment

by:Jonah11
ID: 36520024
Dave,

I see the certificate in ie as you said by clicking on the lock, but what am I supposed to do with that info?

Thanks.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36520117
Ask Godaddy about the two server options there and whether the verification on their OCSP server has been updated for the cert that is not out of date.  I say that because it maybe that IE uses one server and the others use the other server.

Under Encryption in Firefox Options, if you click on Validate, the default option is to use the OCSP server listed in the certificate.  And the Godaddy servers are listed in that Godaddy certificate.  It keeps pointing back to being their problem one way or another.  I couldn't find a method in Chrome.
0
 
LVL 7

Author Comment

by:Jonah11
ID: 36520159
Which are the 2 server options you are referring to.  I see this when clicking on the lock:

http://i.imgur.com/fARKs.png

Thanks,
Jonah
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 36520398
You didn't look far enough.  The servers for OCSP are listed like this:
moocho-cert.jpg
0
 
LVL 7

Assisted Solution

by:Jonah11
Jonah11 earned 0 total points
ID: 36544723
Well, finally figured it out.  Turns out we were serving the .ICO url icon from our old server, and that was the cause of the error.  

Thanks for your help Dave
0
 
LVL 7

Author Closing Comment

by:Jonah11
ID: 36565468
Turns out was a stupid error on our part
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36544793
You're welcome, them little things will get you.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question