• The site has now migrated to Xenforo 2. If you see any issues with the forum operation, please post them in the feedback thread.
  • Due to issues with external spam filters, QQ is currently unable to send any mail to Microsoft E-mail addresses. This includes any account at live.com, hotmail.com or msn.com. Signing up to the forum with one of these addresses will result in your verification E-mail never arriving. For best results, please use a different E-mail provider for your QQ address.
  • For prospective new members, a word of warning: don't use common names like Dennis, Simon, or Kenny if you decide to create an account. Spammers have used them all before you and gotten those names flagged in the anti-spam databases. Your account registration will be rejected because of it.
  • Since it has happened MULTIPLE times now, I want to be very clear about this. You do not get to abandon an account and create a new one. You do not get to pass an account to someone else and create a new one. If you do so anyway, you will be banned for creating sockpuppets.
  • Due to the actions of particularly persistent spammers and trolls, we will be banning disposable email addresses from today onward.
  • The rules regarding NSFW links have been updated. See here for details.

Firefox SSL Issues

ultima333

Happy Sunflower Time
Administrator
Joined
Apr 3, 2014
Messages
3,485
Likes received
18,033
Just something I'd like to bring to the attention of tehelgee and alethiophile

In the IRC, a few Firefox users mentioned issues with accessing QQ. They received the message as follows:
Code:
"An error occurred during a connection to forum.questionablequesting.com. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)

Doing some research on the issue, it looks to be something with StartCom's responder server, something about it being overburdened. Other users who have reported the issue before have had it resolve itself, anywhere from ~12 hours to a couple days. Unfortunately, this seems to be an ongoing issue with StartCom.

Short-term solution is to go to about:preferences#advanced in Firefox and uncheck "Query OCSP responder servers to confirm the current validity of certificates". However, doing so does present a slight security risk.

Alternatively, another solution is to use a different browser in the meantime. Chrome users and IE users don't seem to be having any issue.


Long-term solution, if this persists (which is unlikely), is to switch SSL providers, but that is both expensive and a hassle.


tl;dr
Our SSL provider is fucking up, Firefox users getting hit. Should resolve within a couple days. Meantime, use a different browser or disable an option.
Can't fix it unless we're willing to spend both time and money to switch providers, and it hasn't happened before, so is unlikely.
 
Last edited:
I've switched to LetsEncrypt as TLS certificate provider. Hopefully this issue will not appear any further.
 
I've been away for a while, but I'm finding that I'm getting security certificate errors on QQ as well, but mine are limited to Google Chrome.

Specifically, when I try to open any page on QQ on Chrome, I instead get a screen saying that "Your connection is not private", with the error code NET::ERR_CERT_INVALID. However, I'm able to browse and post using Firefox, which I used to make this post. Is anyone else having a similar error?
 
I've been away for a while, but I'm finding that I'm getting security certificate errors on QQ as well, but mine are limited to Google Chrome.

Specifically, when I try to open any page on QQ on Chrome, I instead get a screen saying that "Your connection is not private", with the error code NET::ERR_CERT_INVALID. However, I'm able to browse and post using Firefox, which I used to make this post. Is anyone else having a similar error?
That's odd. I'm not getting any issues here.

In the top left corner, on the left side of your URL bar, there's a little lock icon that shows up on HTTPS sites. Could you click on it, go to Connection, and copy the Certificate Information you find there?

It should say something like Issued By: Let's Encrypt Authority
 
On Chrome, it says...

This certificate has an invalid name. The name is not included in the permissions list or is explicitly excluded.


Issued to: forum.questionablequesting.com

Issued by: Let's Encrypt Authority X1

Valid from 22/12/2015 to 21/03/2016



On Firefox, the Certificate Viewer says in the Issued By section...

Issued By:
Common Name (CN): Let's Encrypt Authority X1
Organization (O): Let's Encrypt
 
On Chrome, it says...

This certificate has an invalid name. The name is not included in the permissions list or is explicitly excluded.


Issued to: forum.questionablequesting.com

Issued by: Let's Encrypt Authority X1

Valid from 22/12/2015 to 21/03/2016



On Firefox, the Certificate Viewer says in the Issued By section...

Issued By:
Common Name (CN): Let's Encrypt Authority X1
Organization (O): Let's Encrypt
Well, that's the right cert authority that alethiophile switched to. But for some reason it got removed from your Chrome's list of accepted authorities.

If you go to the site on Chrome and get the screen again, you can click on Advanced and then Proceed Anyways.
I don't know why the entry was removed from your instance of Chrome but not mine or others'.


However, if you want to troubleshoot it more...
Could you go into Settings, show Advanced settings, and go down to HTTPS/SSL and click Show Certificates, there will be a small window that pops up. When there, click the 'Trusted Root Certificate Authorities' tab, scroll down. Can you find an entry for 'DST Root CA X3' ?

Should look something like this.
 
Well, that's the right cert authority that alethiophile switched to. But for some reason it got removed from your Chrome's list of accepted authorities.

If you go to the site on Chrome and get the screen again, you can click on Advanced and then Proceed Anyways.
I don't know why the entry was removed from your instance of Chrome but not mine or others'.


However, if you want to troubleshoot it more...
Could you go into Settings, show Advanced settings, and go down to HTTPS/SSL and click Show Certificates, there will be a small window that pops up. When there, click the 'Trusted Root Certificate Authorities' tab, scroll down. Can you find an entry for 'DST Root CA X3' ?

Should look something like this.
The error screen doesn't give me a Proceed Anyways button, even under the Advanced section. I did find some advice somewhere that showed me to bypass it by typing 'danger' while on the screen, but the error screen comes back when I move to the next page, forcing me to repeat the process over and over again.

Looking into the Advanced Settings, I do see an entry for DST Root CA X3, like you said.
 
I've been away for a while, but I'm finding that I'm getting security certificate errors on QQ as well, but mine are limited to Google Chrome.

Specifically, when I try to open any page on QQ on Chrome, I instead get a screen saying that "Your connection is not private", with the error code NET::ERR_CERT_INVALID. However, I'm able to browse and post using Firefox, which I used to make this post. Is anyone else having a similar error?

You're still running Windows XP, aren't you.

If you can't upgrade to at least Windows 7 (or, perhaps, some flavor of Linux), you might as well get ready to stop using Chrome entirely. XP and Vista support is being discontinued in April 2016—even security updates.
 

Users who are viewing this thread

Back
Top