SSL https (http secure) sites won't display is client or server side?

firefox arch-linux ssl security-warning

18,625

Before anyone blindly turns off that warning by disabling OCSP, double-check that it's really not a client issue. Turning off warning messages is something you only do if you have a VERY GOOD reason and you know what you're doing - or if you are the White House, where "the alarm system had been switched off due to complaints from staff that it was too noisy". However, if you take this issue seriously, you don't do that.

It might simply be that the system clock is slow, because the error message says "contains a date in the future". And it is much more likely that your computer's date/time is incorrect rather than that of the server (that could affect hundreds of clients).

Open a terminal and check your time:

$ date

Restart your NTP service to correct it:

$ sudo systemctl restart ntpd && echo OK

If you don't have the NTP service installed ("not-found" error), install it:

$ sudo pacman -S ntp

Also, make sure it's enabled

$ sudo systemctl is-enabled ntpd || sudo systemctl enable ntpd

With NTP installed and enabled, restart it, give it a couple of seconds to fetch the time and then check the time:

$ sudo systemctl restart ntpd && sleep 30 && date

Then try accessing the website again.

Depending on what desktop environment you use, you may be able to use graphical tools instead of those commands.

And for those who have "fixed" this issue by disabling every security feature until it worked: Please re-enable whatever you have disabled. If you've disabled OCSP, enable it again. Those features are there for a reason.

18,625

xtian

Updated on September 18, 2022

Comments

xtian over 1 year
Oddly, python.org has suddenly become unreachable for me through the Archlinux repo version of Firefox (v27 and v28.0 update):

Secure Connection Failed

An error occurred during a connection to www.python.org. The OCSP response is not yet valid (contains a date in the future).

(Error code: sec_error_ocsp_future_response)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

I've read Mozilla site recommends:
1. Clear cache (or reload not from cache) (ok)
2. Check your computer's time settings (ok)
3. Check about:config settings:
  - security.OCSP.enabled = 1 (ok)
  - security.enable_ssl & security.enable_tls (I think this last one is outdated, because my version reads security.[some protocol].enable)
4. Check proxy settings (don't have one)
5. If you're having trouble with one site, use this checker (passed)
With 65 settings in about:config with the term 'security', I don't even know where to begin turning things on and off. Like what is security.OSCP.GET.enabled=false setting? Sounds like it should be on, but its off. Although I don't have any trouble with logging into my bank's web site.

All points point to python.org having the trouble, but can I be sure? And why the heck is python.org a secure site anyway?
- Ramhound about 10 years
  
  I am going to guess the reason you can't connect is because the website revoked it's ssl certificate. It's possible this is on purpose
- xtian about 10 years
  
  @Ramhound thanks for your input. While that may be true, I found something on the Arch site reminding me of a stupid Arch-thingy. The clock was lagging by five hours but the date was correct (its a laptop and happens more than I wish). After I followed these page steps to update my system's time using date instead of timedatectl python.org is again visible. Despite this discrepancy, why in the world can I log into my bank, but not python.org?? Talk about paranoid!
- Ramhound about 10 years
  
  SSL is complicated. We would need to know what the bank website does and does not support. Its also a separate question. If your wondering OSCP is connected to checking the status of the certification chain.
- cokedude about 9 years
  
  @xtian try to use this site to test the website you are talking about. ssllabs.com/ssltest/analyze.html?d=jbclick.jaxbchfl.net
- cokedude about 9 years
  
  @Ramhound are you sure this is a SSL issue and not a TLS issue? I know sometime in 2014 the POODLE attack came out and because of that sites tried to stop using SSL.
- Ramhound about 9 years
  
  @cokedude - TLS is SSL, its the samething they just changed the name.
- xtian about 9 years
  
  Wow. This is a zombie-post. Hahah. I haven't noticed this problem recently, and SSL is outside my bailiwick. So, someone (@Ramhound ?) wants to upvote the answer, I'll mark it answered and put it to bed. (>_<)
- Ramhound about 9 years
  
  @xtian - I have not really said anything with enough quality to submit it as an answer.
xtian about 8 years

As I mentioned in April of '15, this isn't my area of expertise. If future readers find this answer useful, please vote it up so I can mark it as the Correct Answer!