Certificate Revocation Issue

178 点作者 directionless超过 8 年前

23 条评论

andrem超过 8 年前

The handling of this has been quite terrible. The article is the first "good" communication about an event that started 7 hours prior. And according to the communication will take another 4 days to solve completely.Before this, the Technical Solutions Director tweeted solutions that did not work for end users, but highlighted a typical IT centric approach to problem resolution ("Works, What's the problem?") [1]For anyone not already aware, check out Let's Encrypt. I am evaluating it for about 200 domains now in earnest after having it on my horizon for some time. At least to have it ready as a fallback. [2]Getting 200 EV certificates in a hurry from a different CA has been costly this morning.[1] - <a href="https://twitter.com/vanbroup/status/786548172864626690" rel="nofollow">https://twitter.com/vanbroup/status/786548172864626690</a> [2] - <a href="https://letsencrypt.org/" rel="nofollow">https://letsencrypt.org/</a>

评论 #12704146 未加载

samuelb超过 8 年前

In case you can't access their websiteDear Valued GlobalSign Customer,As most of you are aware, we are experiencing an internal process issue (details below) that is impacting your business. While we have identified the root-cause, we deeply apologize for the problems this is causing you and wanted to ensure you that we are actively resolving the issue.GlobalSign manages several root certificates and for compatibility and browser ubiquity reasons provides several cross-certificates between those roots to maximize the effectiveness across a variety of platforms. As part of a planned exercise to remove some of those links, a cross-certificate linking two roots together was revoked. CRL responses had been operational for 1 week, however an unexpected consequence of providing OCSP responses became apparent this morning, in that some browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case.GlobalSign has since removed the cross-certificate from the OCSP database and cleared all caches. However, the global nature of CDNs and effectiveness of caching continued to push some of those responses out as far as end users. End users cannot always easily clear their caches, either through lack of knowledge or lack of permission. New users (visitors) are not affected as they will now receive good responses.The problem will correct itself in 4 days as the cached responses expire, which we know is not ideal. However, in the meantime, GlobalSign will be providing an alternative issuing CA for customers to use instead, issued by a different root which was not affected by the cross that was revoked, but offering the same ubiquity and does not require to reissue the certificate itself.We are currently working on the detailed instructions to help you resolve the issue and will communicate those instruction to you shortly.Thank you for your patience.Lila Kee Chief Product Officer GMO GlobalSignUS +1 603-570-7060 | UK +44 1622 766 766 | EU +32 16 89 1900 www.globalsign.com/en

评论 #12703267 未加载

评论 #12703268 未加载

SysArchitect超过 8 年前

This worked for me on OS X:<pre><code> sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM ocsp WHERE hex(serialNum) IN ("040000000001444EF03E20", "040000000001444EF04247");' </code></pre> What a pain in the behind :/

评论 #12703551 未加载

评论 #12705437 未加载

评论 #12703700 未加载

评论 #12703513 未加载

0x0超过 8 年前

How does their SSL warranty play into this? Will they have to pay $1.250.000 for each OrganizationSSL certificate? <a href="https://www.globalsign.com/repository/globalsign-warranty-policy.pdf" rel="nofollow">https://www.globalsign.com/repository/globalsign-warranty-po...</a>

评论 #12702405 未加载

johnjuuljensen超过 8 年前

I bought new certificates, for a new set of domains, through AlphaSSL today. One hour later customers starts calling, complaining about revoked certificates. Initially I assumed they had screwed up somehow and revoked our old certs, but after reports saying that it worked with some browsers and failed on others I started googling for recent related issues, and found out about GlobalSign.Man, do they suck at communication. We're now 14 hours into the incident. 6-7 hours ago they posted a trouble shooting guid, promising new intermediate certificates for AlphaSSL and I've just been informed by their support that it'll be another hour before they're ready.It's now 02:00 in dk, so I can expect the new certs at 3 and be done by 4.Fun night.Thanks GlobalSign.P.S. Also thanks to the guy who made their marketing department stop tweeting iot crap while this is going on. That pissed me off.

gdeglin超过 8 年前

This broke bootstrapcdn.com, bootstrap's official CDN. So the effects are extremely widespread even for non-globalsign clients.

byuu超过 8 年前

Since this may take days to resolve completely, here's a temporary workaround for Chrome users -- launch your browser with this flag:<pre><code> chrome --ignore-certificate-errors </code></pre> You'll still know when sites have bad certificates due to the red line drawn through the <a href="https://" rel="nofollow">https://</a> portion of the URL. But you will be able to access these sites. But be sure to stop using this flag as soon as you can. It could leak secure cookies to a MitM with a fake cert. Very slim odds of that, but still undesirable. Yet Chrome left us with no other option here.I must say though, I'm increasingly frustrated by software vendors trying to strip away control over our own machines. There is no option at all from the standard error message, even under advanced, to indicate that you know about this problem and wish to proceed. And I'm sure it's only a matter of time before they remove this command-line option as well.I get that novices probably need some protection, but I really wish there were a way to say that, "yes, I really do know what I'm doing, please stop treating me like a toddler." So instead, I'm forced to use a much less safe, hidden command-line option or be locked out of various sites for four whole days.

评论 #12704930 未加载

gcr超过 8 年前

What reuptable certificate authorities are left besides LetsEncrypt?

评论 #12705527 未加载

directionless超过 8 年前

Updates <a href="https://news.ycombinator.com/item?id=12712279" rel="nofollow">https://news.ycombinator.com/item?id=12712279</a> <a href="https://downloads.globalsign.com/acton/attachment/2674/f-06d2/1/-/-/-/-/globalsign-incident-report-13-oct-2016.pdf" rel="nofollow">https://downloads.globalsign.com/acton/attachment/2674/f-06d...</a>

ComodoHacker超过 8 年前

>some browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case.So it's not their failure but browsers'? Which ones then and what versions?

评论 #12704792 未加载

评论 #12703994 未加载

jolux超过 8 年前

I didn't even know that this was what was going on until I saw this on HN and I've been experiencing it all day today.

评论 #12705452 未加载

typicalrunt超过 8 年前

This killed one of our main webapps, but since the site was hosted on AWS, I provisioned an ACM certificate (free) in about 5 minutes and manually applied it to the ELB listener. Couldn't have been easier.Today's weirdness and communication around it has made me trust Globalsign a lot less now.

nodesocket超过 8 年前

Affecting SoundCloud, though I'm not seeing any ssl issues on my end.<a href="http://status.soundcloud.com/day/2016/10/13" rel="nofollow">http://status.soundcloud.com/day/2016/10/13</a>

okket超过 8 年前

Revoking keys (and the necessary checking that it requires) will never work IMHO. The only way to solve this problem is short key signature lifetimes, automated signatures and, if compromised, just no re-signature.Let's Encrypt is one way, although the lifetime with 3 months is a bit too long. One month or even less would be better. Additional verification and checks via DANE/DNSSEC help to shorten the impact of a compromised key. Constant checking for revocations do not. Again: IMHO.

评论 #12702528 未加载

评论 #12702766 未加载

评论 #12702571 未加载

kirankn超过 8 年前

This issue affected me as soon as I upgraded my chrome to V54 yesterday. It broke all my CDN hosted files which were using the AlphaSSL Wildcard certificate. We were experiencing low traffic and realized this may have been the issue. Got into Chat support with ssl2buy who provided me with a Comodo Wildcard certificate. It was a pain to recreate and install the certs everywhere. But we didn't want to lose any more traffic.

Rufal超过 8 年前

<a href="https://support.globalsign.com/customer/portal/articles/2599710-ocsp-revocation-errors---troubleshooting-guide" rel="nofollow">https://support.globalsign.com/customer/portal/articles/2599...</a>They are in the process of fixing certificates. I know of many that are now ok. Too bad I already bought new ones, won't be going back,.

ziggrat超过 8 年前

Once we understood that this was caused by the Chrome update we contacted them and we got a free Komodo certificate from AlphaSSL.

novaleaf超过 8 年前

it looks like this is impacting sites hosted on google cloud using the load-balancer (you upload your cert, and I'm using a globalsign cert). I am getting 502 errors via mobile but via desktop it's fine.anyone else use globalsign via google load balancer who can confirm?

评论 #12705276 未加载

sinatra超过 8 年前

I've been wanting to switch all our certificates to Let's Encrypt for almost one year. But, there was always something else which needed my attention more urgently.So, I guess, thank you Global Sign for forcing me to finally make the switch!

rahkiin超过 8 年前

Luckily I don't have many tenants yet: I replaced my wildcard AlphaSSL with a couple of Lets Encrypt certs to fill the 4 day gap. Four days of inaccessibility is just not acceptable.This is a real mess.

评论 #12704683 未加载

gamache超过 8 年前

My company uses Google Firebase and Fastly CDN, and we're affected by this issue through both hosts.

sparky_超过 8 年前

I assume this explains why so many people are experiencing random SSL issues today.

terom超过 8 年前

Easy, they just need to revoke the revocation.What do you mean, X.509 doesn't support that? :P