SOLVED

Re: Firefox SSL for landing pages

Go to solution
Anonymous
Not applicable

Firefox SSL for landing pages

None of our SSL protected landing pages will load in Firefox, but they load fine in Chrome, Safari.

I've tested other web properties that use SSL's purchased from the same vendor, and installed in the same way, and they work in every browser.

I haven't touched our SSL configuration in months. Is anyone else experiencing a problem?

Our landing pages won't load and this will definitely impact our Adwords rankings.... I marked my ticket as a P1, no response yet.

1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Firefox SSL for landing pages

And by the way, you forgot to check IE and Edge, which also honor OCSP.  Chrome and Safari (both Webkit-based) are being way too permissive here. No one should be allowed to hit the site with an OCSP-revoked cert.

See screenshots from other browsers:

pastedImage_1.png

pastedImage_2.png

View solution in original post

10 REPLIES 10
SanfordWhiteman
Level 10 - Community Moderator

Re: Firefox SSL for landing pages

We will need an actual URL to help you.

Josh_Hill13
Level 10 - Champion Alumni

Re: Firefox SSL for landing pages

What sort of SSL cert do you have?

Anonymous
Not applicable

Re: Firefox SSL for landing pages

Sorry, I meant to paste it and forgot. (Removed other accidental link here.)

Valant EHR

The SSL cert for this is subdomain specific (not wildcard) to go.valant.com

Screen Shot 2018-03-16 at 9.51.12 AM.png

Anonymous
Not applicable

Re: Firefox SSL for landing pages

For more context. I also purchased and installed certs from same vendor at the same time on these properties, that still work in all browsers:

https://help.valant.com

https://support.valant.com

That's why I'm leaning towards this being a Marketo issue?

SanfordWhiteman
Level 10 - Community Moderator

Re: Firefox SSL for landing pages

It's not a Marketo issue, your cert has actually been revoked:

-----BEGIN CERTIFICATE-----

MIIEsTCCA5mgAwIBAgIIOC3N7rAE/YswDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV

BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow

GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz

LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1

cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTcxMTE0MDcwMDAwWhcN

MTgxMTE0MDcwMDAwWjB4MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTET

MBEGA1UEBxMKU2NvdHRzZGFsZTEVMBMGA1UEChMMR29EYWRkeSBJbmMuMSswKQYD

VQQDEyJHbyBEYWRkeSBWYWxpZGF0aW9uIEF1dGhvcml0eSAtIEcyMIIBIjANBgkq

hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5u99Crt0j8hGobYmn8k4UjErxlRcOiYQ

a2JEGDnB9dEo4hEUVi59ww+dYrFmQyK5MZk3cv8xLdptKn9qHRpOykT3juzjJRG3

hkuAnNdR+zr8RulUgAxW2E5K4BkRHg4BcTwPFs3miWBVcCau5HKBUhje/e4RzqGL

HfxpA/4qpxIzX2EVHCnWh/W/2M48I7Xurm2uSHqZbDcdHl1lPs8u2339tUG9R0ND

9FU7mAm74kSZJ4SjmSkhrjYUPQhQ8zEG3G7G8sd/qL/4jGiBqezRzZZP+IUdaxRZ

jMD0U/5tdtyfMRqaGATzzDh8pNeWxf9ZWkd5AK934W49DkKFDlBSAQIDAQABo4IB

ADCB/TAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIGwDATBgNVHSUEDDAKBggr

BgEFBQcDCTAdBgNVHQ4EFgQUnc8cgP4K1qL8WBg+p9NUQO7WFGEwDwYJKwYBBQUH

MAEFBAIFADBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmdvZGFkZHkuY29t

L3JlcG9zaXRvcnkvbWFzdGVyZ29kYWRkeTJpc3N1aW5nLmNybDBKBgNVHSAEQzBB

MD8GC2CGSAGG/W0BBxcBMDAwLgYIKwYBBQUHAgEWImh0dHA6Ly9jcmwuZ29kYWRk

eS5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmlTyk81KtGW6VA

D3NUDBUUSuYG8iZSOwQoxd/n4EuBnpC1ZVyBPb0JcNv35ylCtRH63j85IgtynkXc

TmToVJQoSgKgLLV1iUztIJVqzstEm/qVuW+sxVmDXMu1WxyqsYaTp0/EPLU+aNZK

u4OmoN6qQaWy4ggaSxI05N0hCHgdhTD915zcEuGj4vjIesS8hSlWVvt539enigi4

RMSnBeAgoR6u28KGFYzw/oI94oP4re5Rs+rPLaTe4YL+dDu+BjcBELUMNoB8Kq/P

kUhlDygATHMbA0eGR2ldY9dXSWOlsCCzMMj8cBOa4PMvIePU38VyfI3Vj6BT8KL2

JASg328=

-----END CERTIFICATE-----

WARNING: no nonce in response

Response verify OK

C:\Scripts\common\curl\bin\valant.cer: revoked

        This Update: Mar 16 17:18:14 2018 GMT

        Next Update: Mar 18 05:18:14 2018 GMT

        Reason: (UNKNOWN)

        Revocation Time: Jan 19 22:40:13 2018 GMT

The reason you see this in Firefox and not, for example, in Chrome is that Firefox uses OCSP to check revocation, but Chrome uses the old CRL method which can be out of date.

SanfordWhiteman
Level 10 - Community Moderator

Re: Firefox SSL for landing pages

And by the way, you forgot to check IE and Edge, which also honor OCSP.  Chrome and Safari (both Webkit-based) are being way too permissive here. No one should be allowed to hit the site with an OCSP-revoked cert.

See screenshots from other browsers:

pastedImage_1.png

pastedImage_2.png

Anonymous
Not applicable

Re: Firefox SSL for landing pages

Yikes, thanks for the help Sanford.

I'm having trouble understanding how it was revoked yet everything in GoDaddy still says it's working as expected. (We initially had 2 certs for this domain but I revoked the OLD one. Not this one. Seems like there was some confusion there on what cert was revoked and deleted from our account).

Do you know the best way to get a new cert installed without breaking the (sort of) working certs? I'm afraid if I purchase a new cert, deliver it to Marketo, and it's installed, when I go to revoke the old one it will cause the same issue. (This is how I installed in the first time, I updated in December and then revoked the old one in January.) Am I thinking about that correctly?

Any help greatly appreciated. Cheers

SanfordWhiteman
Level 10 - Community Moderator

Re: Firefox SSL for landing pages

Do you know the best way to get a new cert installed without breaking the (sort of) working certs? I'm afraid if I purchase a new cert, deliver it to Marketo, and it's installed, when I go to revoke the old one it will cause the same issue. (This is how I installed in the first time, I updated in December and then revoked the old one in January.) Am I thinking about that correctly?

Install the cert you want to upload to Marketo on another test server first, make sure it works in real life in all browsers, then give it to Marketo.

You don't have to revoke any certs unless their private key has been compromised. Just having an old cert that's moving out of circulation is fine, you don't need to revoke it.

Anonymous
Not applicable

Re: Firefox SSL for landing pages

Ah, thank you. This is exactly what I needed to know. The new cert is being installed, and I will now leave old expired certs in the account.

Thanks Sanford; your input is consistently the best in the community. Cheers.