How to fix a false SSL revokation error message?
I am getting an error in my desktop Firefox about my certificate being revoked. It only seems to happen on this desktop (Windows 7) though, as I am able to visit the same site with Firefox on my Android device as well as in Firefox under my Xubuntu virtual machine. The certificate is signed by StartSSL, but it is valid, and signed recently enough that it shouldn't be affected by the compromise that happened a year or two back. I generated a test certificate using Let's Encypt and it works fine, but I don't want to deal with the hassle of creating a new LE certificate every three months. My hosting provider doesn't support it directly, so I have to do the manual steps on gethttpsforfree.com. That gets really annoying when you have to do 10 authorizations at a time for all your sub-domains. I tried generating a brand new certificate on startssl.com, but immediately get the same error when installing it.
I have tried deleting the cert8.db file out of my profile, but that doesn't seem to resolve the issue. I feel like this may be an intermediate cert issue, but I can't extract any details out of Firefox, so that's just speculation on my part. It just straight up refuses to even show me why the certificate is bad. Is there a way to flush out the intermediate certificates and force Firefox to retrieve new data? It's frustrating that any browser except Firefox is perfectly content with this certificate. Am I missing something?
Alle svar (8)
hi j3rk, mozilla and other browser vendors are now starting to revoke trust from new wosign and startcom issued certificates, as some mishandling and forbidden practices came to light about them recently: https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
Oh great, another Firefox crusade.
Ok, I guess for now I'll downgrade to 50 and turn off automatic updates until I figure out what I want to do.
Note that it is likely that other browser will follow as in this case it is a serious offense to back-date a certificate to let it go on working. Affected websites will have to renew their certificate and I'm sure that most will do this quickly once they are aware of this problem.
- Bug 1309707 - Distrust new certs chaining up to current WoSign/StartCom roots
Can anyone suggest a free alternative for certificates that isn't on Mozilla's bad side? One that can sign DV certificates for at least a year at a time with the same minimal level of validation that StartSSL does? Let's encrypt wouldn't be so bad, except it only signs certs for 3 months at a time, and the effort it takes with all the copy and pasting of commands is frustrating. When you have 20+ sub-domains, it gets old real fast.
Issues like this shouldn't happen if a CA follows all rules and doesn't violate policies they should know about.
Is there a way to mark this request as Closed: Unresolved? There doesn't seem to be a reasonable solution to my problem at this time, but I don't need anyone else to spend their time thinking about it at this point in time.
This forum will move to a new form (Lithium) in about an hour and today's changes will probably not be migrated as the final snapshot was taken yesterday.
- [/forums/contributors/712402] PLEASE don’t panic aka Launch day fun TOMORROW!
Ændret af cor-el den