Firefox says Peer's Certificate has been revoked
David Newman
dnewman at networktest.com
Tue Dec 21 00:29:08 MSK 2010
When attempting https connections to the server mail.cvcbike.org that
previously ran Apache and now runs nginx with the same certs, Firefox
browsers return this error:
Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
Other browsers (IE, Safari, Chrome) work without errors, and this
previously worked with Apache.
This server uses a GoDaddy bundled cert, and its hostname is one of the
alt DNS names listed in the GoDaddy cert.
Per this and other postings:
http://marc.info/?l=nginx&m=123281043101966&w=2
I concatenated the server's cert and the godaddy cert:
cat server.crt gd_bundle.crt > mail.cvcbike.org.crt
and use that in the nginx.config:
ssl_certificate /etc/ssl/mail.cvcbike.org.crt;
ssl_certificate_key /etc/ssl/private/all.key;
But the Firefox error persists across restarts.
I've posted openssl output below for the two certs.
Thanks in advance for clues on fixing the cert error in Firefox.
dn
# openssl x509 -noout -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a4:78:72:a4:4c:b2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
Validity
Not Before: Nov 23 20:13:13 2009 GMT
Not After : Oct 14 14:03:22 2012 GMT
Subject: O=mail3.networktest.com, OU=Domain Control Validated,
CN=mail3.networktest.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e2:a6:a3:99:99:4c:89:8c:99:26:ab:cd:ed:a6:
c6:96:b6:91:a7:f2:be:73:af:4a:cf:ce:23:da:8f:
04:91:41:c5:ad:c0:ed:1d:91:af:f2:ae:9d:8a:c5:
03:86:9e:0a:5b:17:10:66:c9:e8:1f:6a:e1:3b:0f:
6c:4c:70:10:da:eb:6f:eb:bb:05:c9:70:b6:82:08:
a5:c0:24:69:47:cb:52:50:e7:d8:01:66:d3:41:42:
ee:1d:68:51:e1:03:cd:cb:e2:21:01:a2:10:51:07:
26:c8:f6:73:6d:50:7e:eb:b7:b8:df:d7:a1:4b:9b:
20:5c:58:07:0e:77:e5:8f:25:0d:66:99:13:a5:34:
31:b0:77:a7:55:27:9a:a0:b1:70:2b:42:86:92:9a:
5b:eb:78:35:26:21:b2:8a:93:ea:15:c6:30:7f:9e:
b8:ab:47:2a:8f:43:3a:8b:55:d6:14:cf:0a:d5:bd:
ca:3d:58:2b:5c:7e:d6:d3:e1:d0:d3:16:24:7a:57:
a0:4c:ee:2c:87:5f:9b:75:a1:af:03:35:26:b1:ab:
1a:e8:82:e1:ea:29:04:ad:06:9a:67:f1:5e:c9:8b:
fd:24:79:40:45:b9:da:5e:b4:e1:8e:d2:ca:71:f0:
5b:a2:8a:32:14:49:48:c0:eb:44:65:e3:87:03:c5:
e3:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.godaddy.com/gds1-11.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers -
URI:http://certificates.godaddy.com/repository/gd_intermediate.crt
X509v3 Authority Key Identifier:
keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
X509v3 Subject Alternative Name:
DNS: DNS:mail.cvcbike.org, DNS:lists.cvcbike.org
X509v3 Subject Key Identifier:
59:09:DF:F0:FD:E2:17:F8:0F:14:0A:A0:90:A9:1E:52:8E:E5:2D:E2
Signature Algorithm: sha1WithRSAEncryption
51:6c:16:9d:d4:48:e8:1f:21:40:45:1e:dd:ca:3c:3f:a9:37:
cb:28:de:96:c7:5d:28:e5:9b:b7:97:3d:b7:55:e7:53:62:82:
65:ed:f7:11:e8:5e:3c:31:da:b1:5f:f8:c5:ec:86:68:da:5f:
c6:9e:3a:e3:e4:fd:76:22:35:af:37:9e:f5:7b:2a:a6:8d:4d:
6a:12:21:cd:28:1c:1b:80:24:05:8e:3f:8d:ae:7a:e4:f6:8b:
ab:6d:a3:c8:8c:98:11:60:3d:7d:21:0e:69:f2:02:16:a9:b6:
15:63:83:f6:f7:ff:f8:d8:e8:f4:4b:fa:e0:fc:f9:21:43:51:
8c:ce:bb:47:c4:4d:71:6c:6e:07:74:54:79:c9:1a:1f:ca:b2:
e8:9e:8e:9c:4c:11:27:54:b9:f9:31:06:d1:c1:a0:35:5b:21:
f0:cd:7a:85:2a:03:ce:06:98:fc:9d:90:5f:3c:ee:7e:27:a1:
38:fb:ac:2d:13:af:bb:12:bc:e6:6c:f8:97:2e:c6:55:ae:a3:
a2:82:ea:4b:1c:64:0e:36:95:f2:fb:ad:08:89:37:3c:02:77:
a7:d9:04:cb:1f:79:6d:b7:26:e7:de:8b:9e:ec:74:00:ab:af:
e4:d6:06:c3:7d:81:19:b5:3c:16:1a:95:b9:39:ff:40:30:24:
b5:b8:e8:9c
# openssl x509 -noout -text -in gd_bundle.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 769 (0x301)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
Certification Authority
Validity
Not Before: Nov 16 01:54:37 2006 GMT
Not After : Nov 16 01:54:37 2026 GMT
Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c4:2d:d5:15:8c:9c:26:4c:ec:32:35:eb:5f:b8:
59:01:5a:a6:61:81:59:3b:70:63:ab:e3:dc:3d:c7:
2a:b8:c9:33:d3:79:e4:3a:ed:3c:30:23:84:8e:b3:
30:14:b6:b2:87:c3:3d:95:54:04:9e:df:99:dd:0b:
25:1e:21:de:65:29:7e:35:a8:a9:54:eb:f6:f7:32:
39:d4:26:55:95:ad:ef:fb:fe:58:86:d7:9e:f4:00:
8d:8c:2a:0c:bd:42:04:ce:a7:3f:04:f6:ee:80:f2:
aa:ef:52:a1:69:66:da:be:1a:ad:5d:da:2c:66:ea:
1a:6b:bb:e5:1a:51:4a:00:2f:48:c7:98:75:d8:b9:
29:c8:ee:f8:66:6d:0a:9c:b3:f3:fc:78:7c:a2:f8:
a3:f2:b5:c3:f3:b9:7a:91:c1:a7:e6:25:2e:9c:a8:
ed:12:65:6e:6a:f6:12:44:53:70:30:95:c3:9c:2b:
58:2b:3d:08:74:4a:f2:be:51:b0:bf:87:d0:4c:27:
58:6b:b5:35:c5:9d:af:17:31:f8:0b:8f:ee:ad:81:
36:05:89:08:98:cf:3a:af:25:87:c0:49:ea:a7:fd:
67:f7:45:8e:97:cc:14:39:e2:36:85:b5:7e:1a:37:
fd:16:f6:71:11:9a:74:30:16:fe:13:94:a3:3f:84:
0d:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
X509v3 Authority Key Identifier:
keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com
X509v3 CRL Distribution Points:
URI:http://certificates.godaddy.com/repository/gdroot.crl
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: http://certificates.godaddy.com/repository
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
d2:86:c0:ec:bd:f9:a1:b6:67:ee:66:0b:a2:06:3a:04:50:8e:
15:72:ac:4a:74:95:53:cb:37:cb:44:49:ef:07:90:6b:33:d9:
96:f0:94:56:a5:13:30:05:3c:85:32:21:7b:c9:c7:0a:a8:24:
a4:90:de:46:d3:25:23:14:03:67:c2:10:d6:6f:0f:5d:7b:7a:
cc:9f:c5:58:2a:c1:c4:9e:21:a8:5a:f3:ac:a4:46:f3:9e:e4:
63:cb:2f:90:a4:29:29:01:d9:72:2c:29:df:37:01:27:bc:4f:
ee:68:d3:21:8f:c0:b3:e4:f5:09:ed:d2:10:aa:53:b4:be:f0:
cc:59:0b:d6:3b:96:1c:95:24:49:df:ce:ec:fd:a7:48:91:14:
45:0e:3a:36:6f:da:45:b3:45:a2:41:c9:d4:d7:44:4e:3e:b9:
74:76:d5:a2:13:55:2c:c6:87:a3:b5:99:ac:06:84:87:7f:75:
06:fc:bf:14:4c:0e:cc:6e:c4:df:3d:b7:12:71:f4:e8:f1:51:
40:22:28:49:e0:1d:4b:87:a8:34:cc:06:a2:dd:12:5a:d1:86:
36:64:03:35:6f:6f:77:6e:eb:f2:85:50:98:5e:ab:03:53:ad:
91:23:63:1f:16:9c:cd:b9:b2:05:63:3a:e1:f4:68:1b:17:05:
35:95:53:ee
root at mail:ssl# openssl x509 -noout -text -in mail mail.cvcbike.org.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a4:78:72:a4:4c:b2
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
Validity
Not Before: Nov 23 20:13:13 2009 GMT
Not After : Oct 14 14:03:22 2012 GMT
Subject: O=mail3.networktest.com, OU=Domain Control Validated,
CN=mail3.networktest.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e2:a6:a3:99:99:4c:89:8c:99:26:ab:cd:ed:a6:
c6:96:b6:91:a7:f2:be:73:af:4a:cf:ce:23:da:8f:
04:91:41:c5:ad:c0:ed:1d:91:af:f2:ae:9d:8a:c5:
03:86:9e:0a:5b:17:10:66:c9:e8:1f:6a:e1:3b:0f:
6c:4c:70:10:da:eb:6f:eb:bb:05:c9:70:b6:82:08:
a5:c0:24:69:47:cb:52:50:e7:d8:01:66:d3:41:42:
ee:1d:68:51:e1:03:cd:cb:e2:21:01:a2:10:51:07:
26:c8:f6:73:6d:50:7e:eb:b7:b8:df:d7:a1:4b:9b:
20:5c:58:07:0e:77:e5:8f:25:0d:66:99:13:a5:34:
31:b0:77:a7:55:27:9a:a0:b1:70:2b:42:86:92:9a:
5b:eb:78:35:26:21:b2:8a:93:ea:15:c6:30:7f:9e:
b8:ab:47:2a:8f:43:3a:8b:55:d6:14:cf:0a:d5:bd:
ca:3d:58:2b:5c:7e:d6:d3:e1:d0:d3:16:24:7a:57:
a0:4c:ee:2c:87:5f:9b:75:a1:af:03:35:26:b1:ab:
1a:e8:82:e1:ea:29:04:ad:06:9a:67:f1:5e:c9:8b:
fd:24:79:40:45:b9:da:5e:b4:e1:8e:d2:ca:71:f0:
5b:a2:8a:32:14:49:48:c0:eb:44:65:e3:87:03:c5:
e3:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.godaddy.com/gds1-11.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers -
URI:http://certificates.godaddy.com/repository/gd_intermediate.crt
X509v3 Authority Key Identifier:
keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
X509v3 Subject Alternative Name:
DNS: DNS:mail.cvcbike.org,
DNS:lists.cvcbike.org
X509v3 Subject Key Identifier:
59:09:DF:F0:FD:E2:17:F8:0F:14:0A:A0:90:A9:1E:52:8E:E5:2D:E2
Signature Algorithm: sha1WithRSAEncryption
51:6c:16:9d:d4:48:e8:1f:21:40:45:1e:dd:ca:3c:3f:a9:37:
cb:28:de:96:c7:5d:28:e5:9b:b7:97:3d:b7:55:e7:53:62:82:
65:ed:f7:11:e8:5e:3c:31:da:b1:5f:f8:c5:ec:86:68:da:5f:
c6:9e:3a:e3:e4:fd:76:22:35:af:37:9e:f5:7b:2a:a6:8d:4d:
6a:12:21:cd:28:1c:1b:80:24:05:8e:3f:8d:ae:7a:e4:f6:8b:
ab:6d:a3:c8:8c:98:11:60:3d:7d:21:0e:69:f2:02:16:a9:b6:
15:63:83:f6:f7:ff:f8:d8:e8:f4:4b:fa:e0:fc:f9:21:43:51:
8c:ce:bb:47:c4:4d:71:6c:6e:07:74:54:79:c9:1a:1f:ca:b2:
e8:9e:8e:9c:4c:11:27:54:b9:f9:31:06:d1:c1:a0:35:5b:21:
f0:cd:7a:85:2a:03:ce:06:98:fc:9d:90:5f:3c:ee:7e:27:a1:
38:fb:ac:2d:13:af:bb:12:bc:e6:6c:f8:97:2e:c6:55:ae:a3:
a2:82:ea:4b:1c:64:0e:36:95:f2:fb:ad:08:89:37:3c:02:77:
a7:d9:04:cb:1f:79:6d:b7:26:e7:de:8b:9e:ec:74:00:ab:af:
e4:d6:06:c3:7d:81:19:b5:3c:16:1a:95:b9:39:ff:40:30:24:
b5:b8:e8:9c
More information about the nginx
mailing list