1. Due to issues with external spam filters, QQ is currently unable to send any mail to Microsoft E-mail addresses. This includes any account at live.com, hotmail.com or msn.com. Signing up to the forum with one of these addresses will result in your verification E-mail never arriving. For best results, please use a different E-mail provider for your QQ address.
    Dismiss Notice
  2. For prospective new members, a word of warning: don't use common names like Dennis, Simon, or Kenny if you decide to create an account. Spammers have used them all before you and gotten those names flagged in the anti-spam databases. Your account registration will be rejected because of it.
    Dismiss Notice
  3. Since it has happened MULTIPLE times now, I want to be very clear about this. You do not get to abandon an account and create a new one. You do not get to pass an account to someone else and create a new one. If you do so anyway, you will be banned for creating sockpuppets.
    Dismiss Notice
  4. If you wish to change your username, please ask via conversation to tehelgee instead of asking via my profile. I'd like to not clutter it up with such requests.
    Dismiss Notice
  5. Due to the actions of particularly persistent spammers and trolls, we will be banning disposable email addresses from today onward.
    Dismiss Notice
  6. A note about the current Ukraine situation: Discussion of it is still prohibited as per Rule 8
    Dismiss Notice
  7. The rules regarding NSFW links have been updated. See here for details.
    Dismiss Notice
  8. The testbed for the QQ XF2 transition is now publicly available. Please see more information here.
    Dismiss Notice
Mail delivery issues Usernames Rule 4 Clarification Username Change Requests Disposable Email Addresses Ukraine Rule update XF2 testbed available

Firefox SSL Issues

Discussion in 'Suggestions & Bugs' started by ultima333, Dec 20, 2015.

Tags:
  1. ultima333

    ultima333 Happy Sunflower Time Administrator

    Joined:
    Apr 3, 2014
    Messages:
    3,453
    Likes Received:
    17,697
    Just something I'd like to bring to the attention of tehelgee and alethiophile

    In the IRC, a few Firefox users mentioned issues with accessing QQ. They received the message as follows:
    Code:
    "An error occurred during a connection to forum.questionablequesting.com. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)
    Doing some research on the issue, it looks to be something with StartCom's responder server, something about it being overburdened. Other users who have reported the issue before have had it resolve itself, anywhere from ~12 hours to a couple days. Unfortunately, this seems to be an ongoing issue with StartCom.

    Short-term solution is to go to about:preferences#advanced in Firefox and uncheck "Query OCSP responder servers to confirm the current validity of certificates". However, doing so does present a slight security risk.

    Alternatively, another solution is to use a different browser in the meantime. Chrome users and IE users don't seem to be having any issue.


    Long-term solution, if this persists (which is unlikely), is to switch SSL providers, but that is both expensive and a hassle.


    tl;dr
    Our SSL provider is fucking up, Firefox users getting hit. Should resolve within a couple days. Meantime, use a different browser or disable an option.
    Can't fix it unless we're willing to spend both time and money to switch providers, and it hasn't happened before, so is unlikely.
     
    Last edited: Dec 21, 2015
    ultima333, Dec 20, 2015
    #1
  2. tehelgee

    tehelgee The stern gaze of justice. Administrator

    Joined:
    Feb 12, 2013
    Messages:
    2,910
    Likes Received:
    12,700
    The only fix for us, as a client, would be to change to another SSL certifier, and that costs money. StartCom is free.
     
    tehelgee, Dec 20, 2015
    #2
    ultima333 likes this.
  3. alethiophile

    alethiophile Shadowed Philosopher Administrator

    Joined:
    Apr 26, 2013
    Messages:
    7,610
    Likes Received:
    53,691
    I've switched to LetsEncrypt as TLS certificate provider. Hopefully this issue will not appear any further.
     
    alethiophile, Dec 22, 2015
    #3
    Chase92 likes this.
  4. Tsuzurao

    Tsuzurao Experienced.

    Joined:
    Dec 29, 2014
    Messages:
    2,988
    Likes Received:
    18,695
    I've been away for a while, but I'm finding that I'm getting security certificate errors on QQ as well, but mine are limited to Google Chrome.

    Specifically, when I try to open any page on QQ on Chrome, I instead get a screen saying that "Your connection is not private", with the error code NET::ERR_CERT_INVALID. However, I'm able to browse and post using Firefox, which I used to make this post. Is anyone else having a similar error?
     
    Tsuzurao, Dec 24, 2015
    #4
  5. ultima333

    ultima333 Happy Sunflower Time Administrator

    Joined:
    Apr 3, 2014
    Messages:
    3,453
    Likes Received:
    17,697
    That's odd. I'm not getting any issues here.

    In the top left corner, on the left side of your URL bar, there's a little lock icon that shows up on HTTPS sites. Could you click on it, go to Connection, and copy the Certificate Information you find there?

    It should say something like Issued By: Let's Encrypt Authority
     
    ultima333, Dec 24, 2015
    #5
  6. Tsuzurao

    Tsuzurao Experienced.

    Joined:
    Dec 29, 2014
    Messages:
    2,988
    Likes Received:
    18,695
    On Chrome, it says...

    This certificate has an invalid name. The name is not included in the permissions list or is explicitly excluded.


    Issued to: forum.questionablequesting.com

    Issued by: Let's Encrypt Authority X1

    Valid from 22/12/2015 to 21/03/2016



    On Firefox, the Certificate Viewer says in the Issued By section...

    Issued By:
    Common Name (CN): Let's Encrypt Authority X1
    Organization (O): Let's Encrypt
     
    Tsuzurao, Dec 25, 2015
    #6
  7. ultima333

    ultima333 Happy Sunflower Time Administrator

    Joined:
    Apr 3, 2014
    Messages:
    3,453
    Likes Received:
    17,697
    Well, that's the right cert authority that alethiophile switched to. But for some reason it got removed from your Chrome's list of accepted authorities.

    If you go to the site on Chrome and get the screen again, you can click on Advanced and then Proceed Anyways.
    I don't know why the entry was removed from your instance of Chrome but not mine or others'.


    However, if you want to troubleshoot it more...
    Could you go into Settings, show Advanced settings, and go down to HTTPS/SSL and click Show Certificates, there will be a small window that pops up. When there, click the 'Trusted Root Certificate Authorities' tab, scroll down. Can you find an entry for 'DST Root CA X3' ?

    Should look something like this.

    Click for original size
     
    ultima333, Dec 25, 2015
    #7
  8. Tsuzurao

    Tsuzurao Experienced.

    Joined:
    Dec 29, 2014
    Messages:
    2,988
    Likes Received:
    18,695
    The error screen doesn't give me a Proceed Anyways button, even under the Advanced section. I did find some advice somewhere that showed me to bypass it by typing 'danger' while on the screen, but the error screen comes back when I move to the next page, forcing me to repeat the process over and over again.

    Looking into the Advanced Settings, I do see an entry for DST Root CA X3, like you said.
     
    Tsuzurao, Dec 25, 2015
    #8
  9. Ampersandwich

    Ampersandwich Outl&ish Gr& Panj&rum

    Joined:
    Mar 5, 2014
    Messages:
    1,020
    Likes Received:
    2,130
    You're still running Windows XP, aren't you.

    If you can't upgrade to at least Windows 7 (or, perhaps, some flavor of Linux), you might as well get ready to stop using Chrome entirely. XP and Vista support is being discontinued in April 2016—even security updates.
     
    Ampersandwich, Jan 1, 2016
    #9
    Valette-Serafina likes this.