10 Replies Latest reply on Mar 19, 2018 2:20 PM by Sanford Whiteman

    Firefox SSL for landing pages

    Jordan Bergeson

      None of our SSL protected landing pages will load in Firefox, but they load fine in Chrome, Safari.

       

      I've tested other web properties that use SSL's purchased from the same vendor, and installed in the same way, and they work in every browser.

       

      I haven't touched our SSL configuration in months. Is anyone else experiencing a problem?

       

      Our landing pages won't load and this will definitely impact our Adwords rankings.... I marked my ticket as a P1, no response yet.

        • Re: Firefox SSL for landing pages
          Sanford Whiteman

          We will need an actual URL to help you.

          • Re: Firefox SSL for landing pages
            Josh Hill

            What sort of SSL cert do you have?

            • Re: Firefox SSL for landing pages
              Jordan Bergeson

              Sorry, I meant to paste it and forgot. (Removed other accidental link here.)

              Valant EHR

               

              The SSL cert for this is subdomain specific (not wildcard) to go.valant.com

               

              Screen Shot 2018-03-16 at 9.51.12 AM.png

              • Re: Firefox SSL for landing pages
                Jordan Bergeson

                For more context. I also purchased and installed certs from same vendor at the same time on these properties, that still work in all browsers:

                 

                https://help.valant.com

                https://support.valant.com

                 

                That's why I'm leaning towards this being a Marketo issue?

                  • Re: Firefox SSL for landing pages
                    Sanford Whiteman

                    It's not a Marketo issue, your cert has actually been revoked:

                     

                    -----BEGIN CERTIFICATE-----
                    MIIEsTCCA5mgAwIBAgIIOC3N7rAE/YswDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
                    BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
                    GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
                    LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
                    cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTcxMTE0MDcwMDAwWhcN
                    MTgxMTE0MDcwMDAwWjB4MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTET
                    MBEGA1UEBxMKU2NvdHRzZGFsZTEVMBMGA1UEChMMR29EYWRkeSBJbmMuMSswKQYD
                    VQQDEyJHbyBEYWRkeSBWYWxpZGF0aW9uIEF1dGhvcml0eSAtIEcyMIIBIjANBgkq
                    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5u99Crt0j8hGobYmn8k4UjErxlRcOiYQ
                    a2JEGDnB9dEo4hEUVi59ww+dYrFmQyK5MZk3cv8xLdptKn9qHRpOykT3juzjJRG3
                    hkuAnNdR+zr8RulUgAxW2E5K4BkRHg4BcTwPFs3miWBVcCau5HKBUhje/e4RzqGL
                    HfxpA/4qpxIzX2EVHCnWh/W/2M48I7Xurm2uSHqZbDcdHl1lPs8u2339tUG9R0ND
                    9FU7mAm74kSZJ4SjmSkhrjYUPQhQ8zEG3G7G8sd/qL/4jGiBqezRzZZP+IUdaxRZ
                    jMD0U/5tdtyfMRqaGATzzDh8pNeWxf9ZWkd5AK934W49DkKFDlBSAQIDAQABo4IB
                    ADCB/TAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIGwDATBgNVHSUEDDAKBggr
                    BgEFBQcDCTAdBgNVHQ4EFgQUnc8cgP4K1qL8WBg+p9NUQO7WFGEwDwYJKwYBBQUH
                    MAEFBAIFADBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmdvZGFkZHkuY29t
                    L3JlcG9zaXRvcnkvbWFzdGVyZ29kYWRkeTJpc3N1aW5nLmNybDBKBgNVHSAEQzBB
                    MD8GC2CGSAGG/W0BBxcBMDAwLgYIKwYBBQUHAgEWImh0dHA6Ly9jcmwuZ29kYWRk
                    eS5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmlTyk81KtGW6VA
                    D3NUDBUUSuYG8iZSOwQoxd/n4EuBnpC1ZVyBPb0JcNv35ylCtRH63j85IgtynkXc
                    TmToVJQoSgKgLLV1iUztIJVqzstEm/qVuW+sxVmDXMu1WxyqsYaTp0/EPLU+aNZK
                    u4OmoN6qQaWy4ggaSxI05N0hCHgdhTD915zcEuGj4vjIesS8hSlWVvt539enigi4
                    RMSnBeAgoR6u28KGFYzw/oI94oP4re5Rs+rPLaTe4YL+dDu+BjcBELUMNoB8Kq/P
                    kUhlDygATHMbA0eGR2ldY9dXSWOlsCCzMMj8cBOa4PMvIePU38VyfI3Vj6BT8KL2
                    JASg328=
                    -----END CERTIFICATE-----
                    WARNING: no nonce in response
                    Response verify OK
                    C:\Scripts\common\curl\bin\valant.cer: revoked
                            This Update: Mar 16 17:18:14 2018 GMT
                            Next Update: Mar 18 05:18:14 2018 GMT
                            Reason: (UNKNOWN)
                            Revocation Time: Jan 19 22:40:13 2018 GMT
                    

                     

                    The reason you see this in Firefox and not, for example, in Chrome is that Firefox uses OCSP to check revocation, but Chrome uses the old CRL method which can be out of date.

                  • Re: Firefox SSL for landing pages
                    Sanford Whiteman

                    And by the way, you forgot to check IE and Edge, which also honor OCSP.  Chrome and Safari (both Webkit-based) are being way too permissive here. No one should be allowed to hit the site with an OCSP-revoked cert.

                     

                    See screenshots from other browsers:

                     

                    • Re: Firefox SSL for landing pages
                      Jordan Bergeson

                      Yikes, thanks for the help Sanford.

                       

                      I'm having trouble understanding how it was revoked yet everything in GoDaddy still says it's working as expected. (We initially had 2 certs for this domain but I revoked the OLD one. Not this one. Seems like there was some confusion there on what cert was revoked and deleted from our account).

                       

                      Do you know the best way to get a new cert installed without breaking the (sort of) working certs? I'm afraid if I purchase a new cert, deliver it to Marketo, and it's installed, when I go to revoke the old one it will cause the same issue. (This is how I installed in the first time, I updated in December and then revoked the old one in January.) Am I thinking about that correctly?

                       

                      Any help greatly appreciated. Cheers

                        • Re: Firefox SSL for landing pages
                          Sanford Whiteman

                          Do you know the best way to get a new cert installed without breaking the (sort of) working certs? I'm afraid if I purchase a new cert, deliver it to Marketo, and it's installed, when I go to revoke the old one it will cause the same issue. (This is how I installed in the first time, I updated in December and then revoked the old one in January.) Am I thinking about that correctly?

                          Install the cert you want to upload to Marketo on another test server first, make sure it works in real life in all browsers, then give it to Marketo.

                           

                          You don't have to revoke any certs unless their private key has been compromised. Just having an old cert that's moving out of circulation is fine, you don't need to revoke it.

                          1 of 1 people found this helpful