Kommentare 0

Dein SSL Zertifikat ist nicht sicher!

Am Wochenende ist mein SSL Zertifkat ausgelaufen, kein Problem, kurz auf StartSSL ein neues generiert, wie ich es schon die Jahre davor machte. Kurz das Zertifikat im NGINX ausgetauscht, den NGINX.service neugestartet und fertig war die Laube.


Chrome meldete permanent, dass das Zertifikat nicht sicher ist. Hu? Vielleicht habe ich ja etwas nicht beachtet beim Austausch. Kurz das Zertifikat über SSLLabs gecheckt, alles in Ordnung. Keine Fehler gefunden. Auch über den Internet Explorer oder Safari kamen keine Fehler.

Zum Glück hat sich Hauke kurz der Sache angenommen und zunächst mal die Meldung wie folgt bekommen:
An error occurred during a connection to www.lordmat.de. Peer’s Certificate has been revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE

Ok, das Zertifikat wurde revoked? Aber ich habe doch gar nichts gemacht?
Schnell im Internet recherchiert und siehe da:

I have some bad news for you. StartSSL’s certificates are no longer trusted by Chrome, Firefox, and soon other browsers, beginning with newly issued certificates first. StartSSL won’t tell you this of course and will happily sell you new certs, continuing their extremely shady pattern of behaviour.

Your new certificate is no good any more, and you must replace it. [via Tom Brossman]

Was wie wo? Mein neu erstelltes StartSSL Zertifikat ist nicht mehr sicher in Chrome, Firefox und bald andere Browser?

StartSSL confirmed that this is because of the partially revoked StartCom root certificate. They are working on getting their root certificate fully trusted by browsers again. It sounds like end of February would be the earliest time frame, so not in time to help my certs that expire in two weeks. 🙁

Desweiteren wurde das ganze sogar von StartSSL bestätigt:

To: Stephen Ostermiller,

This electronic mail message was created by StartCom’s Administration Personnel:


All certificates issued before 21.10.2016 are not affected. Certificates issued after 21.10.2016 are distrusted in Chrome, Firefox and Safari browsers.

Official document about distrust > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

We are working hard on remediation plan (https://bugzilla.mozilla.org/show_bug.cgi?id=1311832), and we are doing everything to regain trust ASAP. One of the steps already fully done – https://startssl.com/NewsDetails?date=20160919

We have some delays with an interim solution but will have more information only later in February.

Please accept our apologies for the inconvenience.

Please do not reply to this email. This is an unmonitored email address, and replies to this email cannot be responded to or read. If you have any question or comments, just click Here ((https://startssl.com/reply) to send your question to us, thanks.

Best Regards
StartCom™ Certification Authority

As to why Qualys SSL Labs doesn’t report the error, I found a thread in their forums that says that they would have to hard code a specific case for it because the revokation was not handled in the normal way. They have not done so yet, but they have a bug open to do so.

CA was not ordinary revoked, so there is no way of knowing just looking at OCSP or CRL for revoked certificates. StartCom has according to Mozilla, Google and Apple violated several rules, but because StartCom is one of the leading certificate authority it would be just too big action to simply revoke CA certificate, millions of web pages would stop working. They decided that they will stop trusting new issued certificates by this CA starting with new version of browser. This was announced like two months ago, so web administrators have had time to get new certificate from other CA.

This not to trust change of CA is hard-coded in NEW versions of browsers, so in order to have some useful results on ssllabs.com, this rules should also be hard-coded in test. Not the most pretties solution, but it looks the only one.

That post also has links to information about the other two browsers I tested where the HTTPS failed: [via Stephen Ostmiller]