Firefox says Peer's Certificate has been revoked
Maxim Dounin
mdounin at mdounin.ru
Tue Dec 21 03:00:03 MSK 2010
Hello!
On Mon, Dec 20, 2010 at 01:29:08PM -0800, David Newman wrote:
> When attempting https connections to the server mail.cvcbike.org that
> previously ran Apache and now runs nginx with the same certs, Firefox
> browsers return this error:
>
> Peer's Certificate has been revoked.
>
> (Error code: sec_error_revoked_certificate)
>
> Other browsers (IE, Safari, Chrome) work without errors, and this
> previously worked with Apache.
Most likely in other browsers you've disabled (or not enabled,
and it's not enabled by default) certificate revocation checking.
[...]
> # openssl x509 -noout -text -in server.crt
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> a4:78:72:a4:4c:b2
[...]
> Validity
> Not Before: Nov 23 20:13:13 2009 GMT
> Not After : Oct 14 14:03:22 2012 GMT
> Subject: O=mail3.networktest.com, OU=Domain Control Validated,
> CN=mail3.networktest.com
[...]
> X509v3 CRL Distribution Points:
> URI:http://crl.godaddy.com/gds1-11.crl
It looks like revocation list in question includes this
certificate:
$ openssl crl -text -noout -inform DER -in gds1-11.crl
...
Serial Number: A47872A44CB2
Revocation Date: Jan 19 04:12:03 2010 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Cessation Of Operation
...
So your cert was revoked almost a year ago. I would worry about
browsers where it works - as it shouldn't.
Maxim Dounin
More information about the nginx
mailing list