firefox ignore Your connection is not secure

[therube]

Getting the same problem on ... microsoft sites

I had one yesterday on a MS site.
Thought it to be odd, wondered why it happened, but didn't pursue it.
(If I'm recalling it was on a MS "consumer support" site [link].)

Here:
https://social.technet.microsoft.com/Forums/en-us/home

But its a different error:

Code: Select all

Secure Connection Failed

An error occurred during a connection to social.technet.microsoft.com.

Invalid OCSP signing certificate in OCSP response.

Error code: <a id="errorCode" title="SEC_ERROR_OCSP_INVALID_SIGNING_CERT">SEC_ERROR_OCSP_INVALID_SIGNING_CERT</a>

Someone noted the Pref, security.ssl.enable_ocsp_stapling.
Toggling that does allow the MS site to load, but no clue as to what "ocsp stapling" is...

The OCSP response validity range is 2017-03-14T21:40:24Z to 2017-05-28T21:40:24Z (expired yesterday at 9:40pm). This is correctly identified by both Firefox and Chrome as an expired certificate. Firefox treats the error as fatal and refuses to load the page, while Chrome still loads the page but does not consider the connection to be secure.

Other MS sites (that now fail):

https://www.bing.com/
https://onedrive.live.com/



Issues while accessing Visual Studio Team Services through Firefox browser – 05/29 – Investigating


Bug 1368433 Can no longer connect to various microsoft domains with SEC_ERROR_OCSP_INVALID_SIGNING_CERT


mozillazine: Firefox blocking microsoft websites. Why?

[Brummelchen]

the cert is revoked, whether you like it not or file a ridiculous bug
https://www.digicert.com/help/

Code: Select all

DNS resolves freshproducegroup.us to 23.229.248.66

HTTP Server Header: Apache/2.4.25

SSL certificate

Common Name = rntoptions.com
Subject Alternative Names = rntoptions.com, www.rntoptions.com, vftfoodgroup.us, mexicanfoodproducts.us, craftbeersandtequilatrade.us, freshproducegroup.us
Issuer = Go Daddy Secure Certificate Authority - G2
Serial Number = 5E1B2938E7D57EDB
SHA1 Thumbprint = 0E22651C7872286C78A0A65D4F93131752212024
Key Length = 2048
Signature algorithm = SHA256 + RSA (excellent)
Secure Renegotiation: Supported
SSL Certificate is revoked

The certificate has been revoked. You should replace it with a new certificate as soon as possible.

OCSP Staple:	Not Enabled
OCSP Origin:	Revoked
CRL Status:	Revoked

SSL Certificate expiration

The certificate expires July 23, 2017 (55 days from today)

[Falnor]

the cert is revoked, whether you like it not or file a ridiculous bug
https://www.digicert.com/help/

Code: Select all

DNS resolves freshproducegroup.us to 23.229.248.66

HTTP Server Header: Apache/2.4.25

SSL certificate

Common Name = rntoptions.com
Subject Alternative Names = rntoptions.com, www.rntoptions.com, vftfoodgroup.us, mexicanfoodproducts.us, craftbeersandtequilatrade.us, freshproducegroup.us
Issuer = Go Daddy Secure Certificate Authority - G2
Serial Number = 5E1B2938E7D57EDB
SHA1 Thumbprint = 0E22651C7872286C78A0A65D4F93131752212024
Key Length = 2048
Signature algorithm = SHA256 + RSA (excellent)
Secure Renegotiation: Supported
SSL Certificate is revoked

The certificate has been revoked. You should replace it with a new certificate as soon as possible.

OCSP Staple:	Not Enabled
OCSP Origin:	Revoked
CRL Status:	Revoked

SSL Certificate expiration

The certificate expires July 23, 2017 (55 days from today)

I have used that digicert to check all the microsoft sites and none of the certificates have been revoked. Yet firefox thinks they have been revoked and displays that error

[Brummelchen]

digicert has nothing in common with mozilla - the cert is not valid, that is the official answer. it is not important, what chrome or microsoft show up.
but not all point that out, eg https://www.sslshopper.com/ssl-checker. ... cegroup.us

Symantec instead shows invalid
https://cryptoreport.websecurity.symantec.com/checker/

Code: Select all

Common name:
 rntoptions.com
SAN:
 rntoptions.com, www.rntoptions.com, vftfoodgroup.us, mexicanfoodproducts.us, craftbeersandtequilatrade.us, freshproducegroup.us
Valid from:
 2016-Jul-31 21:52:38 GMT
Valid to:
 2017-Jul-23 22:21:38 GMT
Certificate status:
 Revoked
Revocation check method:
 OCSP
Revocation reason:
 Cessation of operation

or here
https://www.ssllabs.com/ssltest/analyze ... .us&latest

Code: Select all

Revocation status	Revoked   INSECURE
DNS CAA	No (more info)
Trusted	No   NOT TRUSTED

Common names	*.prod.phx3.secureserver.net   MISMATCH

Revocation information	CRL, OCSP 
CRL: http://crl.starfieldtech.com/sfig2s1-37.crl 
OCSP: http://ocsp.starfieldtech.com/ 

revoked

[Mouse5]

look at comment 2 in this Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1368388#c2

[therube]

All I can say to that is, yuca.
(Its nice when someone actually puts a usable explanation in a bug.)

[lovemyfoxy]

52ESR. I'm getting messages that THIS site is insecure, just the past few days, but I can connect anyway. I have HTTPS Everywhere. Is it because we're not https?

Should I just add that about:config line?

[therube]

Correct. No https: here.
(Yet .)

[Mouse5]

52ESR. I'm getting messages that THIS site is insecure, just the past few days, but I can connect anyway. I have HTTPS Everywhere. Is it because we're not https?

Should I just add that about:config line?

yeah i think so, but a lot of sites havent switched to using HTTPS yet either

[lovemyfoxy]

But it can help on sites where I hang out a lot.