TLS certificate revoked

Status
Not open for further replies.
robertcope

robertcope

Joined
Jan 10, 2008
Messages
1,234
Location
TX
Hello,

The certificate that was used to sign the www.bobistheoilguy.com certificate has been revoked. This causes the latest version of Chrome (beta) to reject the connection. A new certificate should be generated using a valid signer.

robert
 
Originally Posted By: robertcope
Hello,

The certificate that was used to sign the www.bobistheoilguy.com certificate has been revoked. This causes the latest version of Chrome (beta) to reject the connection. A new certificate should be generated using a valid signer.

robert
"The certificate which was used to 'sign the certificate'"?
 
Originally Posted By: HerrStig
"The certificate which was used to 'sign the certificate'"?


TLS is based on a web of trust, so to speak. There are certificate authorities (CA) which have "root certificates", which are included in your browser. Those CAs can then create new certificates which are signed by their certificates. Your browser will trust the new certificate because it has the CA's certificate in its CA database. Usually there are intermediate certificates, too.

www.bobistheoilguy.com's certificate is signed by a certificate named "AlphaSSL CA - SHA256 - G2", which in turn was signed by "GlobalSign Root CA". For some reason, the AlphaSSL certificate was revoked. The browser knows this because it checks a Certificate Revocation List (CRL). Because of this, some browsers will throw up an error and not let you pass.

Clear as mud?

robert
 
Odd, I'm getting no errors here at all? Certificate shows as being fine
21.gif
 
We know there is a problem with an intermediate signing certificate and we're working on it. Google Chrome doesn't exhibit the problem, but Microsoft EDGE does.

Wayne
 
GlobalSign/AlphaSSL had a problem with their ORCL (Open Revoke Certificate List) that caused the intermediate certificate to be shown as revoked. So all certificates issued with that certificate would have come up as revoked even though they are not revoked. The problem is that various browsers actually cache that information on the local client to help speed things up. So now they have this bad data cached.
 
Originally Posted By: wwillson
We know there is a problem with an intermediate signing certificate and we're working on it. Google Chrome doesn't exhibit the problem, but Microsoft EDGE does.


Chrome Beta is as of the release yesterday. Obviously, that's a small number of users at this point, but it'll go to release sooner or later.

robert
 
Originally Posted By: wwillson
GlobalSign/AlphaSSL had a problem with their ORCL (Open Revoke Certificate List) that caused the intermediate certificate to be shown as revoked. So all certificates issued with that certificate would have come up as revoked even though they are not revoked. The problem is that various browsers actually cache that information on the local client to help speed things up. So now they have this bad data cached.


I downloaded the latest CRLSet for Chrome this morning with no effect. Interestingly, Qualys' SSL Labs tool shows it to be a valid certificate.

Anyhow, it sounds like you are aware of the issue, so I'll shut up now.

robert
 
Last edited:
Is this why I have to login practically every time I come to bitog, despite selecting the remember me option?
 
Originally Posted By: Gasbuggy
Is this why I have to login practically every time I come to bitog, despite selecting the remember me option?


Do you mean you have to click the "login" button? Or do you have to fill the username and password fields every time?
 
For me it's still doing it as of time of this post in Chrome 53.0.2785.143, Maxthon 4.4.8.2000, and IE 11. I do not get it on my Android phone (Lollipop 5.1) using Chrome Mobile.
 
The certificate maybe sticky.
Options you may need to take are possibly the following.

1) clear your certificate cache: https://support.globalsign.com/customer/portal/articles/1353318
certutil -urlcache * delete

2) Uninstall/reinstall the browser

If above fails
-Use a browser that you have not used to access bitog recently, or install a new browser (e.g. firefox)
-Wait up to 4 days and it should clear out.
 
Last edited:
Originally Posted By: wwillson
Originally Posted By: Gasbuggy
Is this why I have to login practically every time I come to bitog, despite selecting the remember me option?


Do you mean you have to click the "login" button? Or do you have to fill the username and password fields every time?


A mix of both. Just now I had to physically login.
 
Originally Posted By: raytseng
The certificate maybe sticky.
Options you may need to take are possibly the following.

1) clear your certificate cache: https://support.globalsign.com/customer/portal/articles/1353318
certutil -urlcache * delete

2) Uninstall/reinstall the browser

If above fails
-Use a browser that you have not used to access bitog recently, or install a new browser (e.g. firefox)
-Wait up to 4 days and it should clear out.


Using the "certutil" Command Line thing to clear the certificate cache fixed the problem, thanks !!
 
Anyone else still experiencing the certificate issue from time to time? Sometimes it works no problem, other times I get the certificate error.
 
Status
Not open for further replies.

Similar threads

Pew
Is Discount Tire certificate worth it for my situation?
2 3 4
Replies
62
Views
2K
TiGeo
S
CDI vs PI 3/8" Split Beam Decision
2 3
Replies
58
Views
2K
doitmyself
Fredxt
  • Locked
Does ILSAC + OEM OCI have consumers best interest protected?
2
Replies
24
Views
2K
Astro14
y_p_w
Lifetime air travel passes
Replies
4
Views
413
y_p_w
gathermewool
  • Locked
“Thread Starter” Missing
Replies
14
Views
910
gathermewool
Back
Top