|
Ticket ID: SIXXS #10541354 Ticket Status: Resolved PoP: (not applicable)
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
![[de]](/s/countries/de.gif) Shadow Hawkins on Friday, 22 November 2013 22:28:42
... only happens with Firefox, other browsers (IE, Chrome, Opera) work.
Analysis via packet trace reveals, that during SSL handshake two certificates for www.sixxs.net are transmitted: one with serial number 60129 and validity from 04.01.2012 to 03.01.2014 and an old one with serial number 39969 and validity from 26.01.2010 to 26.01.2012. This second certificate seems to produce the error in Firefox, while other browsers are happy with the first one.
A workaround (disabling certificate Validation via OCSP) is described here: http://nigelball.org/2010/01/28/firefox-sec_error_revoked_certificate-issue
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
The old certificate is not there anymore and thus should not interfer. As such you should now get:
$ echo | openssl s_client -connect www.sixxs.net:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jan 4 17:14:03 2012 GMT
notAfter=Jan 3 17:14:03 2014 GMT
Apparently though that serial number has been revoked for whatever reason:
$ openssl ocsp -issuer class3-cacert.cert -serial 0xeae1 -host ocsp.cacert.org:80 -CAfile class3-cacert.cert
Response verify OK
0xeae1: revoked
This Update: Nov 22 23:08:47 2013 GMT
Next Update: Nov 24 23:22:08 2013 GMT
Revocation Time: Nov 21 20:31:50 2013 GMT
hence also why disabling the OCSP check makes things work.
We currently have the following certs:
Serial Number: 60130 (0xeae2)
Serial Number: 60128 (0xeae0)
Serial Number: 60127 (0xeadf)
Serial Number: 60129 (0xeae1)
Seems that only the www.sixxs.net one is revoked...
Response verify OK
0xeae2: good
This Update: Nov 22 23:15:21 2013 GMT
Next Update: Nov 24 23:27:43 2013 GMT
Response verify OK
0xeae0: good
This Update: Nov 22 23:15:21 2013 GMT
Next Update: Nov 24 23:27:43 2013 GMT
Response verify OK
0xeadf: good
This Update: Nov 22 23:15:21 2013 GMT
Next Update: Nov 24 23:27:43 2013 GMT
Response verify OK
0xeae1: revoked
This Update: Nov 22 23:15:21 2013 GMT
Next Update: Nov 24 23:27:43 2013 GMT
Revocation Time: Nov 21 20:31:50 2013 GMT
We are looking into it what is really wrong here though.
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
We are awaiting a new certificate to be issued, that will resolve this problem.
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
New certificate installed, which should fix this issue and avoid having a need to install the CAcert certificate for www.sixxs.net and *.sixxs.net; though as wildcards do not match www.ipv6.sixxs.net you will still find the CAcert certificates for those variants of hosts.
Note that:
http://www.sixxs.net (dual stack)
http://ipv6.sixxs.net (IPv6 only)
http://ipv4.sixxs.net (IPv4 only)
Can all be used to access the SixXS website.
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
Shadow Hawkins on Saturday, 23 November 2013 23:29:49
In order to make it work, I had to install an intermediate certificate "Gandi Standard SSL CA" from http://crt.gandi.net/GandiStandardSSLCA.crt which was not available in my Firefox certificate store.
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
You don't need to do that manually. This Intermediate is now provided by our server. See also the news article for other changes that where made.
|
![[ch]](/s/countries/ch.gif)
on Friday, 22 November 2013 23:31:37
Posting is only allowed when you are