Back

[ SOLVED ] Can't view forum or flashcard site with FireFox

#1
As of this morning I can no longer view this forum or the kanji koohii flashcards site with FireFox (my preferred browser). When I try, I get the following message (here's a screen shot):


Quote:Secure Connection Failed

An error occurred during a connection to kanji.koohii.com. Peer’s Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE

* The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
* Please contact the website owners to inform them of this problem.

It took me half a day to realize I could access the sites via another browser, but there may be other users out there who don't have another browser installed other than FireFox, and who therefore are unable to access their flashcards nor the forum, nor do they have any way of reporting this error or asking for help.
Edited: 2017-06-20, 11:03 am by ファブリス
Reply
#2
Try clearing the browser cache completely (to beginning of time, or for all of koohii.com).

Could be a problem with cached certificates.
Reply
#3
(2017-06-16, 5:49 am)ファブリス Wrote: Try clearing the browser cache completely (to beginning of time, or for all of koohii.com).

Could be a problem with cached certificates.

I've cleared the browser history from the beginning of time, with checkmarks on all the possible cashe options, but the problem persists.
Edited: 2017-06-16, 5:56 am
Reply
August Sale (14th - 25th): 30% OFF Premium PLUS - 25% OFF Premium
JapanesePod101
#4
Hmm. It does say revoked in this report, but no for the same subdomain.

https://www.ssllabs.com/ssltest/analyze....Results=on

Do I need to configure something else? I didn't do anything on the domain name side (Hover). Something to do with "SNI" ?

Sound like Firefox is being even more demanding than Google Chrome? Chrome right now says "Secure" in URL bar.
Edited: 2017-06-16, 6:00 am
Reply
#5
I filed a support ticket with the web host.

Confirm new Firefox install can't open the website.

SSL Labs report seems to say that the site only works in browser that supports SNI.
Reply
#6
(2017-06-16, 6:21 am)ファブリス Wrote: I filed a support ticket with the web host.

Confirm new Firefox install can't open the website.
ありがとう
Reply
#7
Hi, if it helps I also get the same on Firefox. 

An error occurred during a connection to kanji.koohii.com. Peer’s Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE

On chrome though the certificate checks out fine:


Valid Certificate

The connection to this site is using a valid, trusted server certificate.
View certificate


Secure Connection
The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_256_GCM).


Secure Resources
All resources on this page are served securely.
Reply
#8
Well it's not SNI. SNI is definitely used since it is what allows the shared hosts to use different certificates from the same IP address. And this article suggests FIrefox suppports SNI.

https://en.wikipedia.org/wiki/Server_Name_Indication
Reply
#9
Google search indicates Firefox uses OCSP to check certificates

https://en.wikipedia.org/wiki/Online_Cer...s_Protocol
Reply
#10
I am told that you can set the following in about:config if you really want to use Firefox for now:

This does NOT disable secure connection, you can open site and the green lock will show.

Search for 

security.OCSP.enabled

Set it to 0  (zero), then restart Firefox.
Reply
#11
thanks. it works. Is it related to that maybe: https://www.ghacks.net/2017/05/29/firefo...t-domains/
"If you check the OCSP range (which is the time period in which it is active), you will notice that it expired on May 28, 2017. While Firefox is strict when it comes to the information, Chrome is not. Google's Chrome browser allows the connection, but considers it as insecure instead, while Firefox blocks it outright."
Reply
#12
huygens Wrote:(...) While Firefox is strict when it comes to the information, Chrome is not. Google's Chrome browser allows the connection, but considers it as insecure instead, while Firefox blocks it outright."

But Google Chrome right now tells me the connection IS "Secure". I don't think that statement in that article is correct. Wikipedia says Chrome doesn't use OCSP because of latency and privacy issues.

A google search for "firefox ocsp" reveals lots of people having issues with it...

Even Microsoft Bing apparently is not secure for Firefox...

Here is an article more in depth about why Google Chrome does not use OCSP for certification revocation. It shows that quote above is misleading. Suggesting Firefox provides more security when it doesn't.

In any case I'm not sweating over it. Analytics for Kanji Koohii shows 17% users with FIrefox. Maybe if Mozilla considers user experience a priority they would fare better. I stopped using Firefox when they broke Firebug and their own builtin dev tools are laggy and slow as hell. /rant off

...

On topic, I haven't had a response from web host. I'm not sure they can even do anything, could be on Comodo's end. Maybe I should contact Comodo directly? I have no idea what to do frankly.
Edited: 2017-06-17, 6:20 am
Reply
#13
FWIW, Safari also shows the lock, clicking on it displays the certificate, which is valid. Although it's annoying for me because they put the staging aka "test" subdomain as the first certificate. I'd rather it shows the actual subdomain users are looking at.

What I'd like to know is what does "Revoked INSECURE" mean in the SSL Labs report. They don't really give any in depth information. The certificate is obviously valid; so why is OCSP complaining?
Reply
#14
The only browser that can access the site for me is Chrome. Both Firefox and Microsoft Edge say it's insecure and don't allow me the choice to proceed (no I don't usually uses Edge but I do mostly use Firefox and tried it when Firefox failed to access the Forum).

Not a problem as I can use Chrome but I thought I should report it.
Edited: 2017-06-18, 2:33 pm
Reply
#15
ファブリス's solution worked for me
Reply
#16
Thank you. I stupidly didn't notice that. Yes it works. Can now access the Forum via Firefox.

Edit: Well it stopped working. Can use Chrome anyway.
Edited: 2017-06-18, 7:37 pm
Reply
#17
You can also change the setting directly in the Firefox options menu, if anyone isn't comfortable with using about:config.

Just go to Options > Advanced, and then uncheck the box "Query OCSP responder servers to confirm the current validity of certificates"
Reply
#18
The issue seems to be that Comodo, the certificate authority, has the certificate listed as revoked on its certificate revocation list: http://crl.comodoca.com/COMODORSADomainV...rverCA.crl

The revocation date of the certificate was 6/16/2017 12:55:38 AM.

If the certificate wasn't revoked by whoever maintains the certificate, the next step might be to contact Comodo to figure out why the certificate got revoked.

Here's a Wikipedia article on certificate revocation list: https://en.wikipedia.org/wiki/Certificat...ation_list
Reply
#19
Where do you get the certificate revocation date?
Reply
#20
I filed a support ticket with COMODO.

One thing I notice is SSL Labs report isn't the same as it was cpl weeks ago.

I'm pretty sure that kanji.koohii.com and forum.koohii.com and the staging subdomains, were listed separately as certificate 1,2,3.

However now it shows staging koohii com (the development copy), and it lists other subdomains as "alternative names"... so it sounds like HostGator changed the configuration of the certificates.

I hope they can fix it otherwise that's 100 EUR down the drain, and I will be forced at this point to move servers to use Let's Encrypt certs because that is such B.S. I thought I was saving time not moving servers and now this. >_>
Reply
#21
Comodo's reply is that they can see "both certificate status "Revoked" . We recommend you to contact the reseller "hostgator.com" to get further assistance in this regard."

We're off to a good start.

Aren't they the ones who revoked the certificates?
Reply
#22
Oh my... I feel you pain :-(

Bear in mind I never used hostgator (and looking at all this TLS mess I probably never will), but have you checked if hostgator has somehow re-keyed or reissued your certificates without notice? Maybe you have a new one waiting for you to download and/or upload to the server, and that's the reason why the old one is revoked. Or perhaps they put both certificates on the server's cert store (again, assuming there are a new and an old, revoked one) and the web server is picking the wrong one...

Just my two cents, to be fair I'm pretty clueless (and, btw, sorry for the noise in gitter).
Reply
#23
I'll contact live chat this afternoon. I never had access to anything on shared host. Live chat initiated this after confirming purchase. All I did is answer to an email from comodo to confirm ownership of domains.
Reply
#24
Awesome. Live chat was useless and tells me the certificates are installed and working. And they basically don'tk now anything about OCSP.

To be fair this checker says it's fine:

https://www.sslshopper.com/ssl-checker.h...koohii.com
Reply
#25
Should I set up "DNS CAA" ? Is that something I do on Hover.com ?
Reply