Re: Firefox SSL for landing pages

Anonymous · ‎03-16-2018

None of our SSL protected landing pages will load in Firefox, but they load fine in Chrome, Safari.

I've tested other web properties that use SSL's purchased from the same vendor, and installed in the same way, and they work in every browser.

I haven't touched our SSL configuration in months. Is anyone else experiencing a problem?

Our landing pages won't load and this will definitely impact our Adwords rankings.... I marked my ticket as a P1, no response yet.

SanfordWhiteman · ‎03-16-2018

And by the way, you forgot to check IE and Edge, which also honor OCSP. Chrome and Safari (both Webkit-based) are being way too permissive here. No one should be allowed to hit the site with an OCSP-revoked cert.

See screenshots from other browsers:

View solution in original post

SanfordWhiteman · ‎03-16-2018

We will need an actual URL to help you.

Josh_Hill13 · ‎03-16-2018

What sort of SSL cert do you have?

Anonymous · ‎03-16-2018

Sorry, I meant to paste it and forgot. (Removed other accidental link here.)

Valant EHR

The SSL cert for this is subdomain specific (not wildcard) to go.valant.com

Anonymous · ‎03-16-2018

For more context. I also purchased and installed certs from same vendor at the same time on these properties, that still work in all browsers:

https://help.valant.com

https://support.valant.com

That's why I'm leaning towards this being a Marketo issue?

SanfordWhiteman · ‎03-16-2018

It's not a Marketo issue, your cert has actually been revoked:

-----BEGIN CERTIFICATE-----

MIIEsTCCA5mgAwIBAgIIOC3N7rAE/YswDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV

BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow

GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz

LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1

cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTcxMTE0MDcwMDAwWhcN

MTgxMTE0MDcwMDAwWjB4MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTET

MBEGA1UEBxMKU2NvdHRzZGFsZTEVMBMGA1UEChMMR29EYWRkeSBJbmMuMSswKQYD

VQQDEyJHbyBEYWRkeSBWYWxpZGF0aW9uIEF1dGhvcml0eSAtIEcyMIIBIjANBgkq

hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5u99Crt0j8hGobYmn8k4UjErxlRcOiYQ

a2JEGDnB9dEo4hEUVi59ww+dYrFmQyK5MZk3cv8xLdptKn9qHRpOykT3juzjJRG3

hkuAnNdR+zr8RulUgAxW2E5K4BkRHg4BcTwPFs3miWBVcCau5HKBUhje/e4RzqGL

HfxpA/4qpxIzX2EVHCnWh/W/2M48I7Xurm2uSHqZbDcdHl1lPs8u2339tUG9R0ND

9FU7mAm74kSZJ4SjmSkhrjYUPQhQ8zEG3G7G8sd/qL/4jGiBqezRzZZP+IUdaxRZ

jMD0U/5tdtyfMRqaGATzzDh8pNeWxf9ZWkd5AK934W49DkKFDlBSAQIDAQABo4IB

ADCB/TAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIGwDATBgNVHSUEDDAKBggr

BgEFBQcDCTAdBgNVHQ4EFgQUnc8cgP4K1qL8WBg+p9NUQO7WFGEwDwYJKwYBBQUH

MAEFBAIFADBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmdvZGFkZHkuY29t

L3JlcG9zaXRvcnkvbWFzdGVyZ29kYWRkeTJpc3N1aW5nLmNybDBKBgNVHSAEQzBB

MD8GC2CGSAGG/W0BBxcBMDAwLgYIKwYBBQUHAgEWImh0dHA6Ly9jcmwuZ29kYWRk

eS5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmlTyk81KtGW6VA

D3NUDBUUSuYG8iZSOwQoxd/n4EuBnpC1ZVyBPb0JcNv35ylCtRH63j85IgtynkXc

TmToVJQoSgKgLLV1iUztIJVqzstEm/qVuW+sxVmDXMu1WxyqsYaTp0/EPLU+aNZK

u4OmoN6qQaWy4ggaSxI05N0hCHgdhTD915zcEuGj4vjIesS8hSlWVvt539enigi4

RMSnBeAgoR6u28KGFYzw/oI94oP4re5Rs+rPLaTe4YL+dDu+BjcBELUMNoB8Kq/P

kUhlDygATHMbA0eGR2ldY9dXSWOlsCCzMMj8cBOa4PMvIePU38VyfI3Vj6BT8KL2

JASg328=

-----END CERTIFICATE-----

WARNING: no nonce in response

Response verify OK

C:\Scripts\common\curl\bin\valant.cer: revoked

This Update: Mar 16 17:18:14 2018 GMT

Next Update: Mar 18 05:18:14 2018 GMT

Reason: (UNKNOWN)

Revocation Time: Jan 19 22:40:13 2018 GMT

The reason you see this in Firefox and not, for example, in Chrome is that Firefox uses OCSP to check revocation, but Chrome uses the old CRL method which can be out of date.

SanfordWhiteman · ‎03-16-2018

And by the way, you forgot to check IE and Edge, which also honor OCSP. Chrome and Safari (both Webkit-based) are being way too permissive here. No one should be allowed to hit the site with an OCSP-revoked cert.

See screenshots from other browsers:

Anonymous · ‎03-16-2018

Yikes, thanks for the help Sanford.

I'm having trouble understanding how it was revoked yet everything in GoDaddy still says it's working as expected. (We initially had 2 certs for this domain but I revoked the OLD one. Not this one. Seems like there was some confusion there on what cert was revoked and deleted from our account).

Do you know the best way to get a new cert installed without breaking the (sort of) working certs? I'm afraid if I purchase a new cert, deliver it to Marketo, and it's installed, when I go to revoke the old one it will cause the same issue. (This is how I installed in the first time, I updated in December and then revoked the old one in January.) Am I thinking about that correctly?

Any help greatly appreciated. Cheers

SanfordWhiteman · ‎03-16-2018

Do you know the best way to get a new cert installed without breaking the (sort of) working certs? I'm afraid if I purchase a new cert, deliver it to Marketo, and it's installed, when I go to revoke the old one it will cause the same issue. (This is how I installed in the first time, I updated in December and then revoked the old one in January.) Am I thinking about that correctly?

Install the cert you want to upload to Marketo on another test server first, make sure it works in real life in all browsers, then give it to Marketo.

You don't have to revoke any certs unless their private key has been compromised. Just having an old cert that's moving out of circulation is fine, you don't need to revoke it.

Anonymous · ‎03-19-2018

Ah, thank you. This is exactly what I needed to know. The new cert is being installed, and I will now leave old expired certs in the account.

Thanks Sanford; your input is consistently the best in the community. Cheers.