Firefox says Peer's Certificate has been revoked

Igor Sysoev igor at sysoev.ru
Tue Dec 21 00:41:37 MSK 2010 

On Mon, Dec 20, 2010 at 01:29:08PM -0800, David Newman wrote:

> When attempting https connections to the server mail.cvcbike.org that
> previously ran Apache and now runs nginx with the same certs, Firefox
> browsers return this error:
> 
> Peer's Certificate has been revoked.
> 
> (Error code: sec_error_revoked_certificate)
> 
> Other browsers (IE, Safari, Chrome) work without errors, and this
> previously worked with Apache.
> 
> This server uses a GoDaddy bundled cert, and its hostname is one of the
> alt DNS names listed in the GoDaddy cert.
> 
> Per this and other postings:
> 
> http://marc.info/?l=nginx&m=123281043101966&w=2
> 
> I concatenated the server's cert and the godaddy cert:
> 
> cat server.crt gd_bundle.crt > mail.cvcbike.org.crt
> 
> and use that in the nginx.config:
> 
>   ssl_certificate      /etc/ssl/mail.cvcbike.org.crt;
>   ssl_certificate_key  /etc/ssl/private/all.key;
> 
> But the Firefox error persists across restarts.
> 
> I've posted openssl output below for the two certs.
> 
> Thanks in advance for clues on fixing the cert error in Firefox.

I'm not sure, but probably the last (#3) GoDaddy certificate in the bundle
may cause the issue. OpenSSL without preloaded certificate base indicates
it as self signed:

>openssl s_client -connect mail.cvcbike.org:443
CONNECTED(00000003)
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/O=mail3.networktest.com/OU=Domain Control Validated/CN=mail3.networktest.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
---


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list