Firefox says Peer's Certificate has been revoked

Maxim Dounin mdounin at mdounin.ru
Tue Dec 21 03:00:03 MSK 2010


Hello!

On Mon, Dec 20, 2010 at 01:29:08PM -0800, David Newman wrote:

> When attempting https connections to the server mail.cvcbike.org that
> previously ran Apache and now runs nginx with the same certs, Firefox
> browsers return this error:
> 
> Peer's Certificate has been revoked.
> 
> (Error code: sec_error_revoked_certificate)
> 
> Other browsers (IE, Safari, Chrome) work without errors, and this
> previously worked with Apache.

Most likely in other browsers you've disabled (or not enabled, 
and it's not enabled by default) certificate revocation checking.

[...]

> # openssl x509 -noout -text -in server.crt
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             a4:78:72:a4:4c:b2

[...]

>         Validity
>             Not Before: Nov 23 20:13:13 2009 GMT
>             Not After : Oct 14 14:03:22 2012 GMT
>         Subject: O=mail3.networktest.com, OU=Domain Control Validated,
> CN=mail3.networktest.com

[...]

>             X509v3 CRL Distribution Points:
>                 URI:http://crl.godaddy.com/gds1-11.crl

It looks like revocation list in question includes this 
certificate:

$ openssl crl -text -noout -inform DER -in gds1-11.crl
...
    Serial Number: A47872A44CB2
        Revocation Date: Jan 19 04:12:03 2010 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Cessation Of Operation
...

So your cert was revoked almost a year ago.  I would worry about 
browsers where it works - as it shouldn't.

Maxim Dounin



More information about the nginx mailing list