SSL Cert Expire or Caching issue, don't understand

ssl ssl-certificate
13,652

I've seen this before, where application or browsers fails to establish an SSL connection with a "Certificate expired" warning even though the SSL certificate in question is within its validity period - the test routine that actually fails is not a validity test of the end certificate but of the overall trust chain - this is sometimes referred to as a "peer verification" routine.

It might be because you trust an older version of one of the intermediate certificates - in this case it's not the SSL Certificate that is expired, but one of the certificates in the chain that your client builds to test the validity of the certificate:

(3) --- Verisign Root CA
    (2) --> Verisign top Intermediate CA
        (1) --> Verisign Issuing CA
            (0) --> SSL Certificate

If you computer just has the Verisign Root CA certificate(3) in it's store of trusted CA certificates, it will rely on the chain of intermediate certs sent by the web server at www.bt.com:443

If the intermediates - cert (2) and/or (1) in the chain - have been reissued/replaced by newer certificates, but you have the previous version of these certificates stored in your intermediate trust store, the client might try to build the above chain using one of these, and will fail if they've expired

You can inspect the certificates that Chrome trust:

  1. Go to chrome://settings/ (Or click the customize button in the upper right corner and select Settings)
  2. In the bottom, click "Show advanced settings"
  3. Under HTTPS/SSL, click "Manage Certificate"
  4. Inspect the contents of the different stores (names and number of trust stores will vary depending on the underlying operating system)

From here, you should be able to import new and remove old certificates as well.

To see the actual certs presented in the chain by the web server, use openssl:

openssl s_client -connect www.bt.com:443 -showcerts
Share:
13,652
CasperB
Author by

CasperB

Updated on September 18, 2022

Comments

  • CasperB
    CasperB over 1 year

    If I visit BT's site in Chrome I get this ... http://imgur.com/b05alsX It looks like the cert has expired. (Similar in Firefox)

    BT claim it isn't. https://twitter.com/BTCare/status/440405157999030272

    And indeed this page http://www.digicert.com/help/ says expiry "September 24, 2014 (205 days from today)" for "www.bt.com"

    One of my devices I saw this on yesterday is now not showing the error. But some of my devices still are. One of my friends has no problems. Basically some work and some don't.

    What's going on?

    Note I don't work for BT, I just use one of their services. As I do use SSL certs on my own servers I would love to know what is going on.

    Is the old cert cached somewhere? Where would this cache be? BT's server level (maybe a load balancer or something), ISP, DNS, device?

    Thanks in advance!

    • CasperB
      CasperB about 10 years
      support.mozilla.org/en-US/questions/954856 says "This is a query that we come across every day. The client has an old certificate, renewed and installed the new certificate, but the old certificate is still showing. This usually means that the old certificate is still used somewhere within the network, such as a load balancing device or a frontend firewall. Online certificate checkers maybe checking on server/network, while the issue is actually somewhere else."

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Firebase Hosted flutter app shows not a secure connection error when launching an external URL
How to Bypass SSL Certificate Verification in flutter?
Connecting to MySQL server with ssl
Some clients accept SSL cert; others reject it
Creating Self-Signed CA Certificate with makecert.exe
Is it possible to have a valid sub-subdomain with a wildcard certificate?
Loading HTTPS in UIWebView
Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)
CRYPT_E_NOT_FOUND when importing certificate
Error while creating self-signed SSL certificate