Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Multiple Sites Blocked with "SEC_ERROR_REVOKED_CERTIFICATE", but work fine with Google Chrome

  • 10 uphendule
  • 1 inale nkinga
  • 31 views
  • Igcine ukuphendulwa ngu Eliot Mayer

more options

In the last few days, I started having multiple web sites blocked with "SEC_ERROR_REVOKED_CERTIFICATE". They work fine with Google Chrome and Microsoft Edge, and I trust them. One example is http://www.wumb.org, a public radio station. I found nothing in Firefox Help to bypass this security flag and go to the page.

If there is a work-around, please make it show up when searching for SEC_ERROR_REVOKED_CERTIFICATE in Firefox Help. If there is no work-around, please add one. Otherwise, Firefox, my favorite browser, will quickly get a bad reputation.

Thanks,

Eliot Mayer Belmont, MA, USA

Isisombululo esikhethiwe

Eliot Mayer said

TyDraniu said

2. The work-around will lower your security, but for a moment you can try to turn off the Query OCSP responder servers to confirm the current validity of certificates option.
2. What is the procedure to "try to turn off the Query OCSP responder servers to confirm the current validity of certificates option."?

On the settings page, there is a tiny search box at the top. Type or paste ocsp in the box to filter the page and find that checkbox.

Funda le mpendulo ngokuhambisana nalesi sihloko 👍 1

All Replies (10)

more options
  1. Can you check the revocation status on this page? https://certificate.revocationcheck.com/wumb.org
  2. The work-around will lower your security, but for a moment you can try to turn off the Query OCSP responder servers to confirm the current validity of certificates option.

Helpful?

more options

Hi TyDraniu,

Thank you for trying to help. I'm not there yet:

1. I tried your revocationcheck link and got this: Revocation check via OCSP and CRL for wumb.org failed Sorry, the request for wumb.org could not be completed... We could not load the certificate for wumb.org, it might not exist or we could not reach the server, complete the TLS handshake, etc.

2. What is the procedure to "try to turn off the Query OCSP responder servers to confirm the current validity of certificates option."?

Helpful?

more options

The certificate shows as revoked on this test site: https://www.ssllabs.com/ssltest/analyze.html?d=www.wumb.org&latest

This seems to be surprisingly frequent with Starfield/GoDaddy certificates and the site owners may not realize it if they never visit their site in a browser that does OCSP lookups. (Chrome uses a cached list called a CRL, so there are delays in when it recognizes a revoked certificate.)

I suggest informing the site of the problem.

Helpful?

more options

Isisombululo Esikhethiwe

Eliot Mayer said

TyDraniu said

2. The work-around will lower your security, but for a moment you can try to turn off the Query OCSP responder servers to confirm the current validity of certificates option.
2. What is the procedure to "try to turn off the Query OCSP responder servers to confirm the current validity of certificates option."?

On the settings page, there is a tiny search box at the top. Type or paste ocsp in the box to filter the page and find that checkbox.

Helpful?

more options

What works for me in this case is:

  • about:config => security.OCSP.enabled = 2 (0: disable; 1: EV and DV certs; 2:EV certs)

You can open the about:config page via the location/address bar. You can click the button to "Accept the Risk and Continue".

Another test page that also shows the certificate as revoked:

  • https://decoder.link/

Helpful?

more options

I did the "oscp" unchecking. It works, but I understand that this lowers security. I also wrote to the folks at wumb.org and passed along your info. If they tell me that the certificate is updated, I'll try re-enabling "oscp" (if it doesn't mess up other sites that I trust). Thanks for helping!

Helpful?

more options

Best is to set security.OCSP.enabled = 2 to have at least OCSP enabled for EV (Extended_Validation) certificates used by larger companies and not disable OCSP completely by setting security.OCSP.enabled = 0 If you do not visit this website too often then you can consider to leave the pref default and only disable OCSP if you visit this website. I would in this case use a separate profile with lower OCSP protection for cases like this.

See "Creating a profile":

Helpful?

more options

Hi cor-el.

What is the procedure to set security.OCSP.enabled = 2? I only see a yes/no checkbox "Query OCSP responder servers to confirm the current validity of certificate" in the Firefox Setting.

Thanks.

Helpful?

more options

If you use that checkbox in Settings and you only disable OCSP temporarily when you need to visit this website then you should be OK, but if you choose to disable OCSP all the time until the website fixes their certificate then best is to set security.OCSP.enabled = 2 on the about:config page.

You can open the about:config page via the location/address bar. You can click the button to "Accept the Risk and Continue". You can paste security.OCSP.enabled in its find bar to quickly locate this pref and double-click this line and change the value to 2 and press the blue OK button at the far right to confirm the change.

Okulungisiwe ngu cor-el

Helpful?

more options

Thanks. I used your info to set security.OCSP.enabled = 2.

Helpful?

Buza umbuzo

Kufanele ulogele ukungena ku-akhawunti yakho ukuze uphendule amaphosti. Uyacelwauqale umbuzo omusha, uma ungekabi nayo i-akhawunti namanje.