StartSSL certificate gives SEC_ERROR_REVOKED_CERTIFICATE in Firefox and ERR_CERT_AUTHORITY_INVALID in Chrome
Solution 1
I have some bad news for you. StartSSL's certificates are no longer trusted by Chrome, Firefox, and soon other browsers, beginning with newly issued certificates first. StartSSL won't tell you this of course and will happily sell you new certs, continuing their extremely shady pattern of behaviour.
At this point all I can recommend is damage control by purchasing another wildcard cert (assuming you won't/can't use Certbot?) from somewhere like cheapsslsecurity.com. No affiliation, just a previous customer and they were cheap and easy to use.
Your new certificate is no good any more, and you must replace it.
Solution 2
StartSSL confirmed that this is because of the partially revoked StartCom root certificate. They are working on getting their root certificate fully trusted by browsers again. It sounds like end of February would be the earliest time frame, so not in time to help my certs that expire in two weeks. :-(
To: Stephen Ostermiller,
This electronic mail message was created by StartCom's Administration Personnel:
Hello,
All certificates issued before 21.10.2016 are not affected. Certificates issued after 21.10.2016 are distrusted in Chrome, Firefox and Safari browsers.
Official document about distrust > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
We are working hard on remediation plan (https://bugzilla.mozilla.org/show_bug.cgi?id=1311832), and we are doing everything to regain trust ASAP. One of the steps already fully done - https://startssl.com/NewsDetails?date=20160919
We have some delays with an interim solution but will have more information only later in February.
Please accept our apologies for the inconvenience.
Please do not reply to this email. This is an unmonitored email address, and replies to this email cannot be responded to or read. If you have any question or comments, just click Here ((https://startssl.com/reply) to send your question to us, thanks.
Best Regards
StartCom™ Certification Authority
Qualys SSL Labs
As to why Qualys SSL Labs doesn't report the error, I found a thread in their forums that says that they would have to hard code a specific case for it because the revokation was not handled in the normal way. They have not done so yet, but they have a bug open to do so.
CA was not ordinary revoked, so there is no way of knowing just looking at OCSP or CRL for revoked certificates. StartCom has according to Mozilla, Google and Apple violated several rules, but because StartCom is one of the leading certificate authority it would be just too big action to simply revoke CA certificate, millions of web pages would stop working. They decided that they will stop trusting new issued certificates by this CA starting with new version of browser. This was announced like two months ago, so web administrators have had time to get new certificate from other CA.
This not to trust change of CA is hard-coded in NEW versions of browsers, so in order to have some useful results on ssllabs.com, this rules should also be hard-coded in test. Not the most pretties solution, but it looks the only one.
Firefox
Mozilla Security Blog: Distrusting New WoSign and StartCom Certificates
Chrome
Google and Chrome Distrusting WoSign and StartCom Certificates
Chrome is removing gradually dis-trusting these certificates with subsequent browser releases.
- Chrome 56 distrusts all certificates issued after October 21, 2016.
- Chrome 57 also distrusts all old certificates unless the site is in the Alexa top one million sites.
- Chrome 58 also distrusts all old certificates unless the site is in the Alexa top 500,000.
- Chrome 61 distrusts ALL certificates signed by StartSSL and WoSign
Safari
Apple and Safari Blocking Trust for WoSign CA Free SSL Certificate G2
The end of StartCom
I received the following email from StartCom about them shutting down:
Dear customer,
As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.
The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcom's website.
StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years.
StartCom would like to thank you for your support during this difficult time.
StartCom is contacting some other CAs to provide you with the certificates needed. In case you don't want us to provide you an alternative, please, contact us at [email protected]
Please let us know if you need any further assistance with the transition process. We deeply apologize for any inconveniences that this may cause.
Best regards, StartCom Certification Authority
Related videos on Youtube
03 : 26
04 : 29
03 : 21
![[Easy Ways] Error Code SEC_ERROR_REVOKED_CERTIFICATE Firefox Issue](https://i.ytimg.com/vi/g_TINx6vVNA/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBXi6H9VrDLQ0Y1XPpCJMzQiNjzog)
06 : 28
03 : 18
Stephen Ostermiller
Updated on September 18, 2022Comments
-
Stephen Ostermiller over 1 year
My existing HTTPS certificate is expiring soon so I bought a new one. I'm having a very hard time installing it properly though. I have a wildcard certificate from StartSSL for
*.deadsea.ostermiller.orgthat I'm trying to install on my Apache webserver. My Apache configuration for SSL is:SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL SSLCertificateFile /etc/apache2/ssl/2017-deadsea.ostermiller.org.crt SSLCertificateKeyFile /etc/apache2/ssl/2017-stephen-ostermiller.key SSLCertificateChainFile /etc/apache2/ssl/2017-startssl-class3-root-bundle.crtWhich is from the instructions I got from: https://www.startssl.com/Support?v=21 I then restart apache which restarts fine. I'm then trying to access https://test.deadsea.ostermiller.org/ (which should give a 404 error) in various browsers and some are working and some are not.
Curl does just fine:
$ curl -s --head https://test.deadsea.ostermiller.org/ HTTP/1.1 404 Not Found Date: Wed, 01 Feb 2017 22:51:57 GMT Server: Apache Content-Type: text/html; charset=UTF-8
Qualys SSL Labs rates it A- and says that it is "trusted":
Microsoft Edge browser does the right thing:
Chrome gives a NET::ERR_CERT_AUTHORITY_INVALID error:
Firefox gives a SEC_ERROR_REVOKED_CERTIFICATE error:
Safari says that there is an invalid issuer:
What is going wrong and why is there so much disagreement between browsers?
-
Steve about 7 yearsIsn't the 'invalid issuer" a clue? But why pay for SLL any more now that LetsEncrypt is around?
-
Steffen Ullrich about 7 yearsThis might be the result of a bad behavior of Startcom which caused major browsers to distrust it for new certificates: blog.mozilla.org/security/2016/10/24/… -
Stephen Ostermiller about 7 years@SteffenUllrich Wow, I didn't know about that. I've been using StartSSL for years now. I hope I don't have to find a new cert issuer in the next week before my existing certs expire.
-
user1771561 about 7 yearsDepending on the number of subdomains you have, you could use Let's Encrypt. They support up to 100 SANs per certificate. Using GetSSL, you could automate this if you regularly have to add or remove subdomains. We serve about 300 customers and have only 3 certificates.
-
-
vog about 7 yearsI believe the options of Let's Encrypt and CertBot should be more visible in your answer, with prominent links. Switching from one CA to another it the ideal chance of switching to Let's Encrypt, and be done with certificate issues once and for all. You no longer have to ask year after year for a new certificate. It will be renewed automatically for as long as your webserver lives. -
Tom Brossman about 7 yearsThis should probably be the accepted answer as it contains info direct from the source of the problem. No need to choose mine because it was posted earlier. -
Stephen Ostermiller about 7 yearsI'm just adding information to your already excellent answer. :-) I would also like to credit @SteffenUllrich who posted a comment pointing me in the right direction before there were any answers. I originally thought I had installed the cert wrong.
