Expired web/SSL certificate error on only one computer
Answer:
The Win 7 operating on the "problem computer" had had its c:\windows\system 32\drivers\etc\hosts
file edited. a.contoso.com was hard-coded to point to a particular IP address (say, AAA.BBB.CCC.90
). The site at AAA.BBB.CCC.90
still worked but it gave expired certificates. After creating a new site with new certificates (that oddly look the exact same as the old site) at AAA.BBB.CCC.145
, the site developers must have re-directed traffic bound for a.contoso.com to the new site at AAA.BBB.CCC.145
, which was serving valid certificates. I realized this by using running a trace route (tracert
) on one of the working computers which resolved a.contoso.com to AAA.BBB.CCC.145
. Running tracert
on the "problem computer" yielded AAA.BBB.CCC.90
. Browsing directly to AAA.BBB.CCC.145
on the problem computer resulted in a good site with a valid certificate! After I removed the line in host file of the "problem computer" directing traffic directly to AAA.BBB.CCC.90
, everything works just fine.
Now, it seems that the problem wasn't actually with Win 7 certificates at all. The problem was with this machine directing its traffic to an old, obsolete site with old, expired certificates because the address of that site was hard-coded into its hosts file.
Thanks to everyone for helping me reach this conclusion and solve this problem.
Related videos on Youtube
mjblay
Updated on September 18, 2022Comments
-
mjblay over 1 year
I have a strange problem with one website's SSL certificate that only affects one
computerWindows 7 operating system. The site works fine on other Win 7 computers with no error, pulling valid certificates. I do not own or administer the website, but because the site works perfectly on all other computers, I doubt it's a problem with the site. The "problem computer" is a Win 7 machine, and the error happens with every Win 7 user and every browser (or at least IE10, Chrome, and Firefox). I should add that when I boot this "problem computer" to Ubuntu from a USB key, a valid certificate is pulled.The domain has private and public users, so I would rather not use the real domain here. Instead, I'll use one of Microsoft's fake domains (
contoso.com
) to illustrate the problem. The certificate appears to apply to*.contoso.com
, but it only appears when I try to accesshttps://a.contoso.com
. When I accesshttps://b.contoso.com
, I get a different and valid certificate that also applies to*.contoso.com
.EDIT: Browser/Win 7 images of the certificate errors deleted from the original post in favor of openssl output below.
This has been a problem since the certificate expired on December 10, 2014. I have tried going into certmgr.msc > Trusted Root Certification Authorities > Certificates and deleting all of the GeoTrust certificates for both the Current User and the Computer accounts. A new GeoTrust Global CA certificate appeared after reboot, but that did not resolve the situation. Again, this problem affects all users on only one computer regardless of the browser used. Further, it does not affect those same domain users if they log into another computer.
Here are some other solutions I've tried:
- Rebooting (of course).
- Using the Clear SSL State button in inetcpl.cpl > Content
- Accessing the site using this "problem computer" from several different public WiFi networks.
- Using
certutil -setreg chain\ChainCacheResyncFiletime @now
to invalidate current CRL cache entries as per http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx - Used the Copy to File button in the Certificate > Details box on a working computer to copy a working certificate to a file which I then transferred to and installed on the computer with the expired certificate. + reboot, no luck.
Am I correct in assuming this is a problem with the individual computer and not the site hosting the page? And if that's correct, is there a way to force this computer to drop the expired certificate and get the new one that all the other computers are getting?UPDATE: I appear to be partially correct in my assumption that this is not a problem with the site hosting the page. I assumed it was a problem with the computer, itself, but now it appears to be a problem with the Win 7 operating system installed on this "problem computer" only. I come to this conclusion because other computers running Win 7 pull valid certificates and because this "problem computer" pulls a valid certificate when it is booted into Ubuntu from a USB key. Only when this "problem computer" boots into Win 7 does the expired certificate appear. With that knowledge, is there a way to expunge the expired certificate from Win 7 more successfully than the ones I've listed (which have all failed) above?
Thanks in advance.
Edit: here's the output from
openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
on the "problem computer", using Cygwin from the Win 7 operating system. Note the Validity attribute that shows the certificate to expire onDec 10 21:59:20 2014 GMT
:$ openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 Certificate: Data: Version: 3 (0x2) Serial Number: 113752 (0x1bc58) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Validity Not Before: Oct 8 16:20:07 2012 GMT Not After : Dec 10 21:59:20 2014 GMT Subject: serialNumber=ibWVTrZnhDvyhydnlXKodqBj0Azl-unn, C=US, ST=Colorado, L=Denver, O=ContosoCompany, OU=ContosoDepartment, CN=*.contoso.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:df:41:d1:5b:bd:00:68:2c:5e:72:65:39:b6:ac: 7d:67:46:64:f9:c7:07:93:89:80:bd:27:77:f0:40: 6f:61:3b:58:96:bc:cb:a3:f9:40:ad:63:27:b3:e3: fb:c6:87:dc:c8:af:9e:0e:79:c4:e2:09:31:34:e8: c4:2a:7c:77:f1:88:41:c3:b3:b4:88:50:d0:3b:c9: 34:ac:61:e2:4d:a1:cd:6d:4e:db:73:25:eb:b7:f7: 82:95:2d:48:10:f7:78:25:a8:c8:05:a0:bd:07:6b: 7c:b9:09:e4:73:1a:ae:b7:8b:cd:9a:ef:58:39:70: c3:20:5d:ab:8e:f0:c3:fc:96:d9:07:80:e1:88:e8: b3:83:18:1c:ba:28:9b:a6:45:7f:0f:98:9b:cb:53: 29:c6:9e:d5:9c:26:40:bd:81:0d:bc:b3:06:90:9a: a3:25:98:bb:b1:b3:0d:e6:7f:4e:93:8e:ee:b4:de: 15:3c:45:ac:1f:41:3d:e1:5e:de:3c:bb:ce:97:40: fa:10:43:1a:bc:44:2a:55:fe:c2:e0:e0:6a:c3:17: 08:a6:ca:51:de:44:0a:c0:28:32:58:a4:f5:1a:ed: c0:8f:40:22:6a:05:1a:9c:2c:20:39:24:83:10:36: a0:49:79:4b:50:9e:ea:e7:5d:d2:57:54:a5:a3:24: 6b:2d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.contoso.com, DNS:contoso.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl X509v3 Subject Key Identifier: EE:49:78:68:84:FF:89:18:BE:21:E9:34:73:32:59:33:2E:93:B3:2B X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: OCSP - URI:http://gtssl-ocsp.geotrust.com CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.54 CPS: http://www.geotrust.com/resources/cps Signature Algorithm: sha1WithRSAEncryption 82:bc:a7:50:e1:36:7c:c0:67:cc:40:56:7b:22:a2:c2:98:2c: 01:12:b0:6f:0d:01:97:4e:a6:19:5a:d0:eb:61:22:c8:6e:05: 07:a2:97:2a:4e:4f:0b:a4:af:f4:3b:2c:42:e4:21:6d:4a:b1: e8:47:2c:71:56:fb:ec:49:59:97:a7:0f:54:f2:0e:06:cf:e7: 6a:4c:f7:33:d1:21:aa:bb:e2:a2:c1:85:8e:46:02:e5:e9:93: eb:4e:aa:a5:78:e0:bc:94:a6:58:9d:b4:53:98:21:48:48:4c: 94:dd:3a:96:79:3d:08:ed:25:6c:16:31:1b:e3:a8:9d:4f:7e: c7:9e:bf:d7:c5:06:e0:2e:05:94:54:7a:13:71:a7:8a:24:18: e1:c3:51:16:e7:02:0d:07:71:e7:ae:d8:27:ed:7c:2b:ba:b7: 16:ac:95:50:f0:a4:30:1b:f4:4a:6b:ca:7a:f4:b4:f4:cb:d3: 29:87:a5:b6:03:59:94:c0:f3:7c:91:ee:e7:37:69:3f:b1:fe: 06:a6:62:12:91:30:c5:63:e0:f9:9f:af:a5:dd:de:15:b8:b6: e7:df:78:7a:97:e7:a6:cc:f1:57:e2:b9:00:59:b1:52:03:9c: de:b4:e5:4f:45:22:8a:69:26:5b:27:ca:45:98:d9:c3:5a:32: d5:f7:27:c2
And here's the output from
openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
on the "problem computer", running Ubuntu 14.04 from a USB key. Note the Validity attribute here that shows the a valid certificate which expires onDec 5 14:21:24 2015 GMT
:ubuntu@ubuntu:~$ openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=19:self signed certificate in certificate chain verify return:0 Certificate: Data: Version: 3 (0x2) Serial Number: 686155 (0xa784b) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA Validity Not Before: Dec 1 23:03:54 2014 GMT Not After : Dec 5 14:21:24 2015 GMT Subject: serialNumber=AEv6bwWEDDnubjaF1huAIm7G/hgmDTWE, OU=GT24051799, OU=See www.geotrust.com/resources/cps (c)14, OU=Domain Control Validated - QuickSSL(R), CN=a.contoso.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d3:48:ca:32:bb:e9:a3:f9:75:35:71:f2:c0:78: 2b:22:60:8d:36:91:20:46:d0:d4:09:d0:8d:fa:3e: e2:bc:23:f6:c1:fc:03:2a:9a:79:da:12:e8:d2:1d: b2:09:df:af:21:42:94:5c:88:68:43:51:57:40:26: d1:b2:51:93:59:5e:ba:2f:41:de:c1:5c:04:e3:66: a3:13:d5:87:de:71:83:cc:03:2a:06:c1:66:29:12: c8:a5:32:91:74:0a:40:87:d4:e7:d8:32:c3:7e:aa: 57:75:c0:0e:19:75:27:9a:08:40:8c:1a:90:ab:e6: 3a:e7:8c:47:25:ec:d0:61:07:e2:da:a6:86:43:fa: 2b:40:0b:37:c2:63:7b:57:4e:fd:3a:54:ce:f9:c7: b7:38:c1:2c:65:76:91:7e:84:85:90:c6:3e:65:5d: e7:57:2f:2f:63:5a:ec:6b:77:6a:9e:9f:2b:f1:40: c6:8f:14:77:ce:ee:3f:f1:e8:87:5f:a0:c0:18:39: 8b:63:df:a7:3a:68:39:c1:dc:9b:48:ec:65:75:07: 30:b2:6d:91:e8:42:41:cb:a7:33:64:01:21:e2:39: ab:9d:64:7d:b2:24:2c:2c:69:b3:b1:36:ab:ed:93: eb:3d:be:0f:2f:b3:13:47:78:ea:be:77:54:e2:be: ba:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:8C:F4:D9:93:0A:47:BC:00:A0:4A:CE:4B:75:6E:A0:B6:B0:B2:7E:FC X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:a.contoso.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssldv-crl.geotrust.com/crls/gtssldv.crl X509v3 Subject Key Identifier: B5:10:8A:28:BE:B2:E8:EA:D2:0C:A9:0B:78:BF:1A:4C:FF:CB:70:BE X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: OCSP - URI:http://gtssldv-ocsp.geotrust.com CA Issuers - URI:http://gtssldv-aia.geotrust.com/gtssldv.crt X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.54 CPS: http://www.geotrust.com/resources/cps Signature Algorithm: sha1WithRSAEncryption 8c:da:2b:78:4e:bf:6e:d8:48:4f:2c:e5:5a:06:18:d7:39:99: fd:29:9d:c4:c3:e4:6b:54:82:df:96:c2:84:49:e1:f6:2c:62: e0:61:b8:5d:7c:ce:db:38:ab:5f:1c:79:e5:c3:d4:f1:35:2e: 6c:8e:a2:60:f1:69:9f:41:54:0d:f4:1c:76:5e:46:33:60:a1: bb:22:a9:ca:a2:14:a2:6c:e5:c6:80:dd:cb:e7:0e:f2:8a:5e: b0:e7:cb:d4:72:3d:01:4f:58:42:9c:7c:81:1f:6e:22:10:0f: de:1c:d4:54:cd:8e:5c:4b:35:5f:5a:af:b0:78:9f:60:56:1b: 10:64:2d:b7:39:55:be:e2:14:b8:27:5c:af:0e:63:03:27:6a: bd:a7:14:27:5d:fc:a3:d1:27:3b:e9:23:11:10:63:7d:77:2b: b2:db:2e:14:d5:e6:eb:80:6d:fc:bd:af:bb:14:9d:28:9c:91: a4:16:b5:4b:70:4d:54:df:5b:0f:3e:83:40:02:cd:56:fd:7a: 4c:a9:06:2b:45:40:ce:8e:ec:6c:6c:1b:b1:a8:c5:56:fd:60: dc:f1:bc:7d:27:63:eb:b7:99:d9:ec:8f:63:d7:a0:b6:7b:ea: b0:1e:b2:4c:89:0c:11:c4:c2:dd:1f:e7:ef:db:44:23:c8:52: 37:40:6a:10
-
Admin over 9 yearsGood idea, and thanks for the reply. I installed Cygwin and used it to run openssl from the problem computer and also ran openssl from a native linux machine running Ubuntu. I added the results to the initial question above. It appears they are different certificates. I guess my next step is to boot to linux using a USB key on the problem machine to see if it's different.
-
Admin over 9 yearsSo I booted the "problem computer" to Ubuntu Live using a USB key, and it pulls a valid certificate. The issue seems to be with Win 7 on this computer (other Win 7 computers pull valid certificates, this computer gets an expired certificate only when booted to Win 7). Any help in clearing the Win 7 certificates using methods I haven't already tried above? I also edited the main posting to reflect this new information.
-
Admin over 9 yearsAny chance Windows Update shows root certificate updates? (Not that such explains the problem you're seeing, but you never know...)
-
Admin over 9 yearsAs for the root certificates, maybe adding
-showcerts
will show a difference between the two (Windows) machines. Also,a.contoso.com
does not resolve on my Mac (anddig a.contoso.com
gives me a SOA record). -
Admin over 9 yearsThanks Arjan. I'm not using the actual domain name for privacy purposes, so I don't expect a.contoso.com to actually resolve. It turns out I just found the answer to the problem. Because I cannot answer my own question, I'll edit the original post again with the answer.
-
Admin over 9 yearsAh, I just saw that contoso.com is some Microsoft version of example.com... I learned something new (though I'd use the official example.com instead...)