I have my client purchased for an SSL Cert on GoDaddy but sometimes it shows this error on some computer, ERR::NET_CERT_REVOKED. I asked GoDaddy but they did not reply yet while my client is pushing me. Any help on this please?
If your SSL Certificate is not revoked or cancelled by certificate authority, then you may have some solutions. Main issue with the certificate revocation in chrome is that the client machine is being blocked from contacting the revocation servers for getting the website SSL certificate.
First find the actual reason behind the revoke, here are some reasons-
Your private key has compromised
The SSL Certificate had been not issued properly
Failed identity verification
Solution
Try this tip first
Windows \ Mac \ Chromebook
Menu > History > Clear browser data (Choose Browsing History, Download History, Cookies, Cached images)
Once the SSL Certificate revoked, it’s not possible to get it back and you may have to purchase a new one. However, the SSL is not permanently revoked, you can contact your SSL provider to reissue and replace new SSL Certificate files on the web server and remove the all old SSL Certificate files. It may solve your issue.
I had same issue 2 weeks ago, I was told to reinstall and it works for me
Related
I have multiple Intel NUCs out in the field that I use for displaying digital signage. Out of the thousands I have in the field, a couple complain with this error:
SSL certificate problem: self signed certificate in certificate chain. More details here: http://curl.haxx.se/docs/sslcerts.html, curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
I've confirmed that the cert is not expired, and the domain name matches
These units are running on Debian 7
Could the network they are on cause this issue with some sort of firewall setting?
When you visit the website what certificate is shown in the web browser? In your curl bundle is that the same certificate which is supposed to be used for SSL encryption? I'd guess no. CA will sign your cert.pem so that web browsers will show your green lock thereby authenticating your website. You most likely have an issue on the back end with the configuration of your curl bundle. You need to make sure that your server is using the CA cert not a self signed certificate like ssl-cert-snakeoil.pem for example.
Essentially your website should be using a static IPv4 address. As far as a network firewall stopping an SSL handshake from happening that may be possible, I have seen it happen on specific ports for example port 22 for ssh connections may be blocked at the network gateway for inbound traffic on a client side computer attempting a connection to a server. The SYN/ACK https://tools.ietf.org/rfc/rfc793.txt TCP handshake may time out in that type of network fire wall situation. However since you are getting an explicit response from your server about a self signed cert a firewall issue does not seem to be the problem.
I secure successfully a Nifi Node (localhost) with SSL but I have always a yellow padlock in my browser as you can see in the pic here
Do you have any idea?
Thanks
If you used an untrusted certificate then this is expected behavior. You would have to purchase a real certificate for a real domain name in order for the browser to not warn you.
I see the description below:
Standalone : generates the certificate authority, keystores, truststores, and nifi.properties files in one command
Client/Server mode : uses a Certificate Authority Server that accepts Certificate Signing Requests from clients, signs them, and sends the resulting certificates back. Both client and server validate the other’s identity through a shared secret.
Standalone and client, both generate the certificate authority, keystores, truststores.
Sorry, I don't see the difference.
I have installed SSL Certificate manually that I had brought from Godadday. It installed successfully but it shows self signed certificate which is not trusted or displays cross on https.
What is the solution ?
It is showing because it does not recognized the certificate that you get from Godaddy.
The CSR certificate has to upload on your site and make changes on apache config file.
Make sure your CSR file should not match with the private key that you submitted to verify your site.
Installing a SSL certificate requires some server administration knowhow, especially updating web server configuration.
DigitalOcean has a great tutorial on how to install a SSL certificate from GoDaddy: https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority#example-ca-2-godaddy
Maybe it helps.
To check if you installed it correctly, you can use Qualys SSL Server Test at https://www.ssllabs.com/ssltest/index.html
When I send a request a known site lik facebook, Google,... on https protocol, the certificates are appearing on browser via pedlock.
How the web site (facebook,google,..) certificate comes to my browser?
How my browser knows the certificate is valid? is asking the Certificate Authority company?
What means my computers trusted certificates (on Windows certmgr.msc)?
1. How the web site (facebook,google,..) certificate comes t y browser?
When your browser requests a website using the HTTPS protocol the transfer will start with a SSL/TLS handshake. During this handshake the server will submit the website certificate to your browser.
2. How my browser knows the certificate is valid? is asking the Certificate Authority company?
The website certificate is commonly provided by a certificate authority (CA). The CA has signed the website certificate with its own certificate - after it has verified the websites identity. Every browser has some certificates from trusted CAs pre-installed. These certificates are used to check if the submited website certificated is properly signed by the CA.
In addition the browser may use the Online Certificate Status Protocol (OSCP) to check if the website is still valid.
3. What meansmy computers trusted certificates (on Windows certmgr.msc)?
I guess this is a different topic. The CA certificates used for HTTPS connections are part of the browser (IE, FF, etc.) and no part of the operating system.
Additional notes
The way the browser displays a trusted HTTPS connection depends on the browser and of the type of the used certificate.
If you are interested in some details how the certificates are distributed, you may doa research to the topic of "Public-key infrastructure (PKI)"
We purchased an SSL certificate through DNSimple and installed it on our Heroku SSL endpoint. Now navigating to the app via SSL works fine on Chrome and Safari, but Firefox shows a "This connection is untrusted" error. Why would an SSL cert be untrusted by Firefox only?
We figured out the problem:
The Heroku docs point to the following bundle.pem file, which DOES NOT WORK FOR FIREFOX:
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
The CORRECT bundle.pem file is at:
https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt
as indicated on the RapidSSL site.
Heroku docs need to be updated. Hopefully this saves someone else some time..
UPDATE: We reported this to Heroku and they updated their docs, so this is no longer an issue.
Mozilla include a list of Certificate Authorities (CA) with their products, as do Google, Apple, Microsoft and others. If your certificate can be traced back to one of these than the browsers will trust it. If not, you have to add an exception, or import the certificate into your browser.
The list of included CAs is created at the whim of the different browser makers. Some include the root CA for your certificate, and it seems Mozilla do not.
You can get a list of CAs included by Mozilla here. Check your certificate details. If the root CA is on this list file it as a bug with Mozilla. If it's not you could try asking them if they'll include it for the next release.
It's a problem of rapidssl but not yours.
you should not only provide the server certificate, but should concat your server certificate and INTERMEDIATE ca certificate.
do
$ cat ca_certificate.crt >> server_.crt
and restart your nginx.
you can find the ca certificate on what site you buy certificate.