Crl-file causing SSL_ERROR_EXPIRED_CERT_ALERT

mdconner · November 28, 2018, 3:00pm

Using v1.8.10 on RHEL 7, I get the mentioned error in Firefox where the HTTPS frontend bind is as follows:

bind <IP>:443 name https ssl crt <server pem> ca-file <ca pem> verify required crl-file <x509>

I’m pretty confident the crt, ca and crl files are correct.

I get the same error using “verify optional”

If I add “crt-ignore-err all”, I get SSL_ERROR_UNKNOWN_CA_ALERT

If I add "crt-ignore-err all ca-ignore-err all ", I get “page isn’t redirecting properly. problem may be caused by disabling or refusing to accept cookies”

Without crl-file , the application works successfully.

Any ideas to correct or debug?

lukastribus · November 28, 2018, 5:04pm

Well the error says that the certificate is expired, but perhaps it is the crl file that is actually expired.

Can you check:

openssl crl -in <your-crl-file-here> -text

mdconner · November 28, 2018, 5:15pm

Under Issuer, has Last Update of May 2018 and Next Update of May 2019.

Under Revoked Certificates, it has Revocation Date of May 2007 & Invalidity Date of May 2007.

Does this mean it’s expired?

lukastribus · November 28, 2018, 5:47pm

Which certificate does it refer to as revoked? If that’s the client certificate you are using, then yes, it means the client certificate was revoked by the CA, and when using the CRL, it is denied.

Topic		Replies	Views
Certificate not trusted/unknown once CRL is configured Help!	5	1437	November 15, 2021
CRL list problem Help!	2	2314	May 8, 2018
Crl-file causes client authentication failure Help!	2	914	August 30, 2019
Allow Expired Certs but do CA Verification Help!	3	2630	October 10, 2019
Configuring crl-file breaks valid certificates Help!	3	468	November 16, 2021

Crl-file causing SSL_ERROR_EXPIRED_CERT_ALERT

Related Topics