Firefox says Peer's Certificate has been revoked

David Newman dnewman at networktest.com
Tue Dec 21 00:29:08 MSK 2010


When attempting https connections to the server mail.cvcbike.org that
previously ran Apache and now runs nginx with the same certs, Firefox
browsers return this error:

Peer's Certificate has been revoked.

(Error code: sec_error_revoked_certificate)

Other browsers (IE, Safari, Chrome) work without errors, and this
previously worked with Apache.

This server uses a GoDaddy bundled cert, and its hostname is one of the
alt DNS names listed in the GoDaddy cert.

Per this and other postings:

http://marc.info/?l=nginx&m=123281043101966&w=2

I concatenated the server's cert and the godaddy cert:

cat server.crt gd_bundle.crt > mail.cvcbike.org.crt

and use that in the nginx.config:

  ssl_certificate      /etc/ssl/mail.cvcbike.org.crt;
  ssl_certificate_key  /etc/ssl/private/all.key;

But the Firefox error persists across restarts.

I've posted openssl output below for the two certs.

Thanks in advance for clues on fixing the cert error in Firefox.

dn

# openssl x509 -noout -text -in server.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a4:78:72:a4:4c:b2
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
        Validity
            Not Before: Nov 23 20:13:13 2009 GMT
            Not After : Oct 14 14:03:22 2012 GMT
        Subject: O=mail3.networktest.com, OU=Domain Control Validated,
CN=mail3.networktest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:e2:a6:a3:99:99:4c:89:8c:99:26:ab:cd:ed:a6:
                    c6:96:b6:91:a7:f2:be:73:af:4a:cf:ce:23:da:8f:
                    04:91:41:c5:ad:c0:ed:1d:91:af:f2:ae:9d:8a:c5:
                    03:86:9e:0a:5b:17:10:66:c9:e8:1f:6a:e1:3b:0f:
                    6c:4c:70:10:da:eb:6f:eb:bb:05:c9:70:b6:82:08:
                    a5:c0:24:69:47:cb:52:50:e7:d8:01:66:d3:41:42:
                    ee:1d:68:51:e1:03:cd:cb:e2:21:01:a2:10:51:07:
                    26:c8:f6:73:6d:50:7e:eb:b7:b8:df:d7:a1:4b:9b:
                    20:5c:58:07:0e:77:e5:8f:25:0d:66:99:13:a5:34:
                    31:b0:77:a7:55:27:9a:a0:b1:70:2b:42:86:92:9a:
                    5b:eb:78:35:26:21:b2:8a:93:ea:15:c6:30:7f:9e:
                    b8:ab:47:2a:8f:43:3a:8b:55:d6:14:cf:0a:d5:bd:
                    ca:3d:58:2b:5c:7e:d6:d3:e1:d0:d3:16:24:7a:57:
                    a0:4c:ee:2c:87:5f:9b:75:a1:af:03:35:26:b1:ab:
                    1a:e8:82:e1:ea:29:04:ad:06:9a:67:f1:5e:c9:8b:
                    fd:24:79:40:45:b9:da:5e:b4:e1:8e:d2:ca:71:f0:
                    5b:a2:8a:32:14:49:48:c0:eb:44:65:e3:87:03:c5:
                    e3:35
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:
                URI:http://crl.godaddy.com/gds1-11.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/

            Authority Information Access:
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers -
URI:http://certificates.godaddy.com/repository/gd_intermediate.crt

            X509v3 Authority Key Identifier:

keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7

            X509v3 Subject Alternative Name:
                DNS: DNS:mail.cvcbike.org, DNS:lists.cvcbike.org
            X509v3 Subject Key Identifier:
                59:09:DF:F0:FD:E2:17:F8:0F:14:0A:A0:90:A9:1E:52:8E:E5:2D:E2
    Signature Algorithm: sha1WithRSAEncryption
        51:6c:16:9d:d4:48:e8:1f:21:40:45:1e:dd:ca:3c:3f:a9:37:
        cb:28:de:96:c7:5d:28:e5:9b:b7:97:3d:b7:55:e7:53:62:82:
        65:ed:f7:11:e8:5e:3c:31:da:b1:5f:f8:c5:ec:86:68:da:5f:
        c6:9e:3a:e3:e4:fd:76:22:35:af:37:9e:f5:7b:2a:a6:8d:4d:
        6a:12:21:cd:28:1c:1b:80:24:05:8e:3f:8d:ae:7a:e4:f6:8b:
        ab:6d:a3:c8:8c:98:11:60:3d:7d:21:0e:69:f2:02:16:a9:b6:
        15:63:83:f6:f7:ff:f8:d8:e8:f4:4b:fa:e0:fc:f9:21:43:51:
        8c:ce:bb:47:c4:4d:71:6c:6e:07:74:54:79:c9:1a:1f:ca:b2:
        e8:9e:8e:9c:4c:11:27:54:b9:f9:31:06:d1:c1:a0:35:5b:21:
        f0:cd:7a:85:2a:03:ce:06:98:fc:9d:90:5f:3c:ee:7e:27:a1:
        38:fb:ac:2d:13:af:bb:12:bc:e6:6c:f8:97:2e:c6:55:ae:a3:
        a2:82:ea:4b:1c:64:0e:36:95:f2:fb:ad:08:89:37:3c:02:77:
        a7:d9:04:cb:1f:79:6d:b7:26:e7:de:8b:9e:ec:74:00:ab:af:
        e4:d6:06:c3:7d:81:19:b5:3c:16:1a:95:b9:39:ff:40:30:24:
        b5:b8:e8:9c


# openssl x509 -noout -text -in gd_bundle.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 769 (0x301)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
Certification Authority
        Validity
            Not Before: Nov 16 01:54:37 2006 GMT
            Not After : Nov 16 01:54:37 2026 GMT
        Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c4:2d:d5:15:8c:9c:26:4c:ec:32:35:eb:5f:b8:
                    59:01:5a:a6:61:81:59:3b:70:63:ab:e3:dc:3d:c7:
                    2a:b8:c9:33:d3:79:e4:3a:ed:3c:30:23:84:8e:b3:
                    30:14:b6:b2:87:c3:3d:95:54:04:9e:df:99:dd:0b:
                    25:1e:21:de:65:29:7e:35:a8:a9:54:eb:f6:f7:32:
                    39:d4:26:55:95:ad:ef:fb:fe:58:86:d7:9e:f4:00:
                    8d:8c:2a:0c:bd:42:04:ce:a7:3f:04:f6:ee:80:f2:
                    aa:ef:52:a1:69:66:da:be:1a:ad:5d:da:2c:66:ea:
                    1a:6b:bb:e5:1a:51:4a:00:2f:48:c7:98:75:d8:b9:
                    29:c8:ee:f8:66:6d:0a:9c:b3:f3:fc:78:7c:a2:f8:
                    a3:f2:b5:c3:f3:b9:7a:91:c1:a7:e6:25:2e:9c:a8:
                    ed:12:65:6e:6a:f6:12:44:53:70:30:95:c3:9c:2b:
                    58:2b:3d:08:74:4a:f2:be:51:b0:bf:87:d0:4c:27:
                    58:6b:b5:35:c5:9d:af:17:31:f8:0b:8f:ee:ad:81:
                    36:05:89:08:98:cf:3a:af:25:87:c0:49:ea:a7:fd:
                    67:f7:45:8e:97:cc:14:39:e2:36:85:b5:7e:1a:37:
                    fd:16:f6:71:11:9a:74:30:16:fe:13:94:a3:3f:84:
                    0d:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7
            X509v3 Authority Key Identifier:

keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            Authority Information Access:
                OCSP - URI:http://ocsp.godaddy.com

            X509v3 CRL Distribution Points:
                URI:http://certificates.godaddy.com/repository/gdroot.crl

            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy
                  CPS: http://certificates.godaddy.com/repository

            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha1WithRSAEncryption
        d2:86:c0:ec:bd:f9:a1:b6:67:ee:66:0b:a2:06:3a:04:50:8e:
        15:72:ac:4a:74:95:53:cb:37:cb:44:49:ef:07:90:6b:33:d9:
        96:f0:94:56:a5:13:30:05:3c:85:32:21:7b:c9:c7:0a:a8:24:
        a4:90:de:46:d3:25:23:14:03:67:c2:10:d6:6f:0f:5d:7b:7a:
        cc:9f:c5:58:2a:c1:c4:9e:21:a8:5a:f3:ac:a4:46:f3:9e:e4:
        63:cb:2f:90:a4:29:29:01:d9:72:2c:29:df:37:01:27:bc:4f:
        ee:68:d3:21:8f:c0:b3:e4:f5:09:ed:d2:10:aa:53:b4:be:f0:
        cc:59:0b:d6:3b:96:1c:95:24:49:df:ce:ec:fd:a7:48:91:14:
        45:0e:3a:36:6f:da:45:b3:45:a2:41:c9:d4:d7:44:4e:3e:b9:
        74:76:d5:a2:13:55:2c:c6:87:a3:b5:99:ac:06:84:87:7f:75:
        06:fc:bf:14:4c:0e:cc:6e:c4:df:3d:b7:12:71:f4:e8:f1:51:
        40:22:28:49:e0:1d:4b:87:a8:34:cc:06:a2:dd:12:5a:d1:86:
        36:64:03:35:6f:6f:77:6e:eb:f2:85:50:98:5e:ab:03:53:ad:
        91:23:63:1f:16:9c:cd:b9:b2:05:63:3a:e1:f4:68:1b:17:05:
        35:95:53:ee

root at mail:ssl#  openssl x509 -noout -text -in mail mail.cvcbike.org.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a4:78:72:a4:4c:b2
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287
        Validity
            Not Before: Nov 23 20:13:13 2009 GMT
            Not After : Oct 14 14:03:22 2012 GMT
        Subject: O=mail3.networktest.com, OU=Domain Control Validated,
CN=mail3.networktest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:e2:a6:a3:99:99:4c:89:8c:99:26:ab:cd:ed:a6:
                    c6:96:b6:91:a7:f2:be:73:af:4a:cf:ce:23:da:8f:
                    04:91:41:c5:ad:c0:ed:1d:91:af:f2:ae:9d:8a:c5:
                    03:86:9e:0a:5b:17:10:66:c9:e8:1f:6a:e1:3b:0f:
                    6c:4c:70:10:da:eb:6f:eb:bb:05:c9:70:b6:82:08:
                    a5:c0:24:69:47:cb:52:50:e7:d8:01:66:d3:41:42:
                    ee:1d:68:51:e1:03:cd:cb:e2:21:01:a2:10:51:07:
                    26:c8:f6:73:6d:50:7e:eb:b7:b8:df:d7:a1:4b:9b:
                    20:5c:58:07:0e:77:e5:8f:25:0d:66:99:13:a5:34:
                    31:b0:77:a7:55:27:9a:a0:b1:70:2b:42:86:92:9a:
                    5b:eb:78:35:26:21:b2:8a:93:ea:15:c6:30:7f:9e:
                    b8:ab:47:2a:8f:43:3a:8b:55:d6:14:cf:0a:d5:bd:
                    ca:3d:58:2b:5c:7e:d6:d3:e1:d0:d3:16:24:7a:57:
                    a0:4c:ee:2c:87:5f:9b:75:a1:af:03:35:26:b1:ab:
                    1a:e8:82:e1:ea:29:04:ad:06:9a:67:f1:5e:c9:8b:
                    fd:24:79:40:45:b9:da:5e:b4:e1:8e:d2:ca:71:f0:
                    5b:a2:8a:32:14:49:48:c0:eb:44:65:e3:87:03:c5:
                    e3:35
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points:
                URI:http://crl.godaddy.com/gds1-11.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/

            Authority Information Access:
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers -
URI:http://certificates.godaddy.com/repository/gd_intermediate.crt

            X509v3 Authority Key Identifier:

keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7

            X509v3 Subject Alternative Name:
                               DNS: DNS:mail.cvcbike.org,
DNS:lists.cvcbike.org

            X509v3 Subject Key Identifier:
                59:09:DF:F0:FD:E2:17:F8:0F:14:0A:A0:90:A9:1E:52:8E:E5:2D:E2
    Signature Algorithm: sha1WithRSAEncryption
        51:6c:16:9d:d4:48:e8:1f:21:40:45:1e:dd:ca:3c:3f:a9:37:
        cb:28:de:96:c7:5d:28:e5:9b:b7:97:3d:b7:55:e7:53:62:82:
        65:ed:f7:11:e8:5e:3c:31:da:b1:5f:f8:c5:ec:86:68:da:5f:
        c6:9e:3a:e3:e4:fd:76:22:35:af:37:9e:f5:7b:2a:a6:8d:4d:
        6a:12:21:cd:28:1c:1b:80:24:05:8e:3f:8d:ae:7a:e4:f6:8b:
        ab:6d:a3:c8:8c:98:11:60:3d:7d:21:0e:69:f2:02:16:a9:b6:
        15:63:83:f6:f7:ff:f8:d8:e8:f4:4b:fa:e0:fc:f9:21:43:51:
        8c:ce:bb:47:c4:4d:71:6c:6e:07:74:54:79:c9:1a:1f:ca:b2:
        e8:9e:8e:9c:4c:11:27:54:b9:f9:31:06:d1:c1:a0:35:5b:21:
        f0:cd:7a:85:2a:03:ce:06:98:fc:9d:90:5f:3c:ee:7e:27:a1:
        38:fb:ac:2d:13:af:bb:12:bc:e6:6c:f8:97:2e:c6:55:ae:a3:
        a2:82:ea:4b:1c:64:0e:36:95:f2:fb:ad:08:89:37:3c:02:77:
        a7:d9:04:cb:1f:79:6d:b7:26:e7:de:8b:9e:ec:74:00:ab:af:
        e4:d6:06:c3:7d:81:19:b5:3c:16:1a:95:b9:39:ff:40:30:24:
        b5:b8:e8:9c



More information about the nginx mailing list