Peer's Certificate has been revoked

ssl iis-6 ssl-certificate certificate

27,171

Solution 1

Have you looked at the cert in FF or IE to see if you can get any clue as to what's wrong? Could it be that the certificate chain is broken because an intermediate certificate is no longer valid?

Solution 2

Solution on other sites regarding uncheck OSCP query on browsers (firefox in options or certificate settings to uncheck OSCP query option) doesn't seems right solution. OSCP (Online Certificate Status Protocol) is internet protocol used for obtaining the revocation status of your digital certificate. See details here

If OSCP response doesn't confirm certificate is OK, Browser will show Error such as sec_error_revoked_certificate . Better to check broken chain of certificate installed or its validity.

27,171

Keith Barrows

Keith lives in Florida and specializes in Information Technology applications utilizing web technologies. He has been working in software ever since high school and stepped forward as a professional in the early 1990s. He is very good at figuring out new things on the fly. Technology is always changing. What is hot today is a memory tomorrow. Realizing this early on he spent his time becoming a Self-Sufficient Developer, somebody who can learn new things as they arise. He has demonstrated a passion to be highly proficient in any project he tackles. With over 20 years of experience Keith has consulted on all aspects of the software development life cycle from design and development to quality assurance and maintenance. He has worked in both the Agile and Water Fall methodologies of software creation, to include Scrum, Kan-ban and XP. Keith has a broad set of skills in the web sphere from light UI design to a deeper server-side knowledge of .NET including Core, Entity Framework, Web Forms, MVC, Web API, C#, VB as well as T-SQL and NoSql. Some of Keith's highlights include: Designed and built a Web Forms based system to replace a highly manual and error prone process that ended up saving the client over $10 million in governmental fines. Worked on updating a legacy system that could no longer handle the client load allowing the system to go from 100 clients with 100 users each to 500 clients with 250 users each. Experience leading 3 to 10 member development teams. Volunteered to be part of a 4 man team to self lead the development teams consisting of 26 developers and 8 QA personnel as the company was missing a CTO. Currently, Keith is an independent consultant with 20+ years of industry experience actively pursuing an even deeper understanding of .NET, cloud based security and web development. He is active on Stack Overflow, was a former ASP.NET MVP and a founding member of the ASPInsiders.

Updated on September 17, 2022

Comments

Keith Barrows almost 2 years
I just upgraded our web server with a renewed cert as our current cert expires later this week. When I browse to our site via FF it is throwing this error:
```
Secure Connection Failed 
An error occurred during a connection to www.rivworks.com. 
Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)
            *   The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
            *   Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
```
When I try IE (v6 - v8) I do not get this error. I've searched this site, Bing and Google and am not finding a solution for this. If I had long hair I'd be pulling it out!

Any help is appreciated!

ADDITIONAL INFO:
After working the search engines over I have come to conclude this is a problem in FF and not with my cert. My cert issuer has been going through it with a fine tooth comb and every thing they can do shows all of my cert chain is in working order. FF just hates a renewed cert!

The one (and only one) link I got for a possible fix is here: http://www.wallpaperama.com/forums/firefox-error-code-sec-error-revoked-certificate-t7301.html. This leads to the solution this guy came up with here: http://www.wallpaperama.com/forums/installing-ssl-certificate-in-a-godaddy-dedicated-server-with-ispconfig-t7300.html. Unfortunately - it is for a UNIX server and I don't know how to translate UNIX to WINDOWS SERVER 2003.

Any help?
- squillman almost 15 years
  
  In response to your edit: the thing is that I can replicate the problem in FF, IE and Chrome (haven't tried Safari or Konqueror) using rivworks.com. All three of them balk at it when set to check revocation lists...
Keith Barrows almost 15 years

the cert is valid 9/22/2009 - 9/24/2012. We are past the 22nd so this should not be the problem.
squillman almost 15 years

Ok. Well, it's on a revocation list for whatever reason. I would check with the provider to see what's going on there.
joeqwerty almost 15 years

In IE, select to view the certificate, then select the Certification Path tab. This will show you the chain, but I'm guessing it's going to look OK.
Keith Barrows almost 15 years

Unfortunately I cannot ask every person in the world that may hit our site to do this. I'm leaning towards a mismatched intermediate cert right now. Will post the solution once I find it.
Keith Barrows almost 15 years

Yep - In Safari, Chrome & IE the chain looks fine. Even GoDaddy looked at it and said it was fine (after fixing one intermediate cert problem I had on one server).
MrGigu almost 15 years

true, but if it's an internal site you can
joeqwerty almost 15 years

I'm not able to get to the site in IE. It doesn't give me the option to "Continue to this web site". I think that there's got to be something wrong with the cert or the cert chain. What's the possibility of temporarily removing the GoDaddy cert and trying a self-signed cert, a free commercial cert, or a demo commercial cert as a test? If you can and the site works I think that would confirm that there's a problem with the GoDaddy cert or cert chain.
Keith Barrows almost 15 years

So, GoDaddy came back with an answer of "It's something wrong with Mozilla (FF)". They said my cert chain looked fine. :'(
Keith Barrows almost 15 years

Did turn out to be a mismatch in version/serial number on the cert. (See above for the answer I chose as the closet.)
Keith Barrows almost 15 years

After spending a couple of hours on the phone with various terminals at GoDaddy this is what we did to resolve this issue. (1) Delete all cert instances via IIS (it is a wild carded cert and was applied to several web sites and web services). (2) Generate a new CSR via IIS6. (3) Use the CSR text to ReKey the cert at certs.GoDaddy.com. (4) Download the new cert. (5) Cont the install in IIS6. (6) On the other sites, use an already installed cert (several showed up!) and make sure it was the current request.<br/><br/> The site is now working correctly.
Keith Barrows almost 15 years

The key to the whole excercise was when GoDaddy tech support had me ReKey the cert yesterday the Serial Number/Version went out of sync between my local cert and the Root Authority (GoDaddy).
joeqwerty almost 15 years

Glad you got it worked out. That was one I had not seen before so I'll have to remember it for the future.
squillman almost 15 years

Yah, good to have this one documented!
Keith Barrows over 14 years

After badgering GoDaddy they finally came up with a solution. In a nutshell, delete all certs and reinstall on one server. Once installed, export from that server and import on the other servers. When we did this with the new, unexpired cert the first time, the certs picked up the old root. While it was reporting as a good chain, in fact it was not.
joeqwerty over 14 years

Glad to hear that you got it fixed. thanks for the update.
Ram almost 13 years

That is some very bad advice Mark. The equivalent would be a retailer who keeps trying a customer's credit card and getting a rejection and you suggesting "turn off validation checking" as a fix. Yikes!
MrGigu almost 13 years

@Ram - whilst it might be bad advice, it is a workaround. Additionally, you should not flag answers just because they're "wrong" - just give a downvote, leave a comment, and move on.
Ram almost 13 years

@Mark - no offense intended - it is indeed a work around but not something folks finding this question and answer should use. I flagged for moderator review as I don't have the reputation to down rate it and yet it really really should be down rated.
mohannad rateb almost 7 years

While technically correct, this answer is dangerous. OCSP exists for a reason, and disabling it will lower the security for all websites accessed by Firefox.