I have a strange problem with one website's SSL certificate that only affects one computer Windows 7 operating system. The site works fine on other Win 7 computers with no error, pulling valid certificates. I do not own or administer the website, but because the site works perfectly on all other computers, I doubt it's a problem with the site. The "problem computer" is a Win 7 machine, and the error happens with every Win 7 user and every browser (or at least IE10, Chrome, and Firefox). I should add that when I boot this "problem computer" to Ubuntu from a USB key, a valid certificate is pulled.
The domain has private and public users, so I would rather not use the real domain here. Instead, I'll use one of Microsoft's fake domains (contoso.com
) to illustrate the problem. The certificate appears to apply to *.contoso.com
, but it only appears when I try to access https://a.contoso.com
. When I access https://b.contoso.com
, I get a different and valid certificate that also applies to *.contoso.com
.
EDIT: Browser/Win 7 images of the certificate errors deleted from the original post in favor of openssl output below.
This has been a problem since the certificate expired on December 10, 2014. I have tried going into certmgr.msc > Trusted Root Certification Authorities > Certificates and deleting all of the GeoTrust certificates for both the Current User and the Computer accounts. A new GeoTrust Global CA certificate appeared after reboot, but that did not resolve the situation. Again, this problem affects all users on only one computer regardless of the browser used. Further, it does not affect those same domain users if they log into another computer.
Here are some other solutions I've tried:
- Rebooting (of course).
- Using the Clear SSL State button in inetcpl.cpl > Content
- Accessing the site using this "problem computer" from several different public WiFi networks.
- Using
certutil -setreg chain\ChainCacheResyncFiletime @now
to invalidate current CRL cache entries as per http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx - Used the Copy to File button in the Certificate > Details box on a working computer to copy a working certificate to a file which I then transferred to and installed on the computer with the expired certificate. + reboot, no luck.
Am I correct in assuming this is a problem with the individual computer and not the site hosting the page? And if that's correct, is there a way to force this computer to drop the expired certificate and get the new one that all the other computers are getting?
UPDATE: I appear to be partially correct in my assumption that this is not a problem with the site hosting the page. I assumed it was a problem with the computer, itself, but now it appears to be a problem with the Win 7 operating system installed on this "problem computer" only. I come to this conclusion because other computers running Win 7 pull valid certificates and because this "problem computer" pulls a valid certificate when it is booted into Ubuntu from a USB key. Only when this "problem computer" boots into Win 7 does the expired certificate appear. With that knowledge, is there a way to expunge the expired certificate from Win 7 more successfully than the ones I've listed (which have all failed) above?
Thanks in advance.
Edit: here's the output from openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
on the "problem computer", using Cygwin from the Win 7 operating system. Note the Validity attribute that shows the certificate to expire on Dec 10 21:59:20 2014 GMT
:
$ openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 113752 (0x1bc58)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
Validity
Not Before: Oct 8 16:20:07 2012 GMT
Not After : Dec 10 21:59:20 2014 GMT
Subject: serialNumber=ibWVTrZnhDvyhydnlXKodqBj0Azl-unn, C=US, ST=Colorado, L=Denver, O=ContosoCompany, OU=ContosoDepartment, CN=*.contoso.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:df:41:d1:5b:bd:00:68:2c:5e:72:65:39:b6:ac:
7d:67:46:64:f9:c7:07:93:89:80:bd:27:77:f0:40:
6f:61:3b:58:96:bc:cb:a3:f9:40:ad:63:27:b3:e3:
fb:c6:87:dc:c8:af:9e:0e:79:c4:e2:09:31:34:e8:
c4:2a:7c:77:f1:88:41:c3:b3:b4:88:50:d0:3b:c9:
34:ac:61:e2:4d:a1:cd:6d:4e:db:73:25:eb:b7:f7:
82:95:2d:48:10:f7:78:25:a8:c8:05:a0:bd:07:6b:
7c:b9:09:e4:73:1a:ae:b7:8b:cd:9a:ef:58:39:70:
c3:20:5d:ab:8e:f0:c3:fc:96:d9:07:80:e1:88:e8:
b3:83:18:1c:ba:28:9b:a6:45:7f:0f:98:9b:cb:53:
29:c6:9e:d5:9c:26:40:bd:81:0d:bc:b3:06:90:9a:
a3:25:98:bb:b1:b3:0d:e6:7f:4e:93:8e:ee:b4:de:
15:3c:45:ac:1f:41:3d:e1:5e:de:3c:bb:ce:97:40:
fa:10:43:1a:bc:44:2a:55:fe:c2:e0:e0:6a:c3:17:
08:a6:ca:51:de:44:0a:c0:28:32:58:a4:f5:1a:ed:
c0:8f:40:22:6a:05:1a:9c:2c:20:39:24:83:10:36:
a0:49:79:4b:50:9e:ea:e7:5d:d2:57:54:a5:a3:24:
6b:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:*.contoso.com, DNS:contoso.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl
X509v3 Subject Key Identifier:
EE:49:78:68:84:FF:89:18:BE:21:E9:34:73:32:59:33:2E:93:B3:2B
X509v3 Basic Constraints: critical
CA:FALSE
Authority Information Access:
OCSP - URI:http://gtssl-ocsp.geotrust.com
CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: http://www.geotrust.com/resources/cps
Signature Algorithm: sha1WithRSAEncryption
82:bc:a7:50:e1:36:7c:c0:67:cc:40:56:7b:22:a2:c2:98:2c:
01:12:b0:6f:0d:01:97:4e:a6:19:5a:d0:eb:61:22:c8:6e:05:
07:a2:97:2a:4e:4f:0b:a4:af:f4:3b:2c:42:e4:21:6d:4a:b1:
e8:47:2c:71:56:fb:ec:49:59:97:a7:0f:54:f2:0e:06:cf:e7:
6a:4c:f7:33:d1:21:aa:bb:e2:a2:c1:85:8e:46:02:e5:e9:93:
eb:4e:aa:a5:78:e0:bc:94:a6:58:9d:b4:53:98:21:48:48:4c:
94:dd:3a:96:79:3d:08:ed:25:6c:16:31:1b:e3:a8:9d:4f:7e:
c7:9e:bf:d7:c5:06:e0:2e:05:94:54:7a:13:71:a7:8a:24:18:
e1:c3:51:16:e7:02:0d:07:71:e7:ae:d8:27:ed:7c:2b:ba:b7:
16:ac:95:50:f0:a4:30:1b:f4:4a:6b:ca:7a:f4:b4:f4:cb:d3:
29:87:a5:b6:03:59:94:c0:f3:7c:91:ee:e7:37:69:3f:b1:fe:
06:a6:62:12:91:30:c5:63:e0:f9:9f:af:a5:dd:de:15:b8:b6:
e7:df:78:7a:97:e7:a6:cc:f1:57:e2:b9:00:59:b1:52:03:9c:
de:b4:e5:4f:45:22:8a:69:26:5b:27:ca:45:98:d9:c3:5a:32:
d5:f7:27:c2
And here's the output from openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
on the "problem computer", running Ubuntu 14.04 from a USB key. Note the Validity attribute here that shows the a valid certificate which expires on Dec 5 14:21:24 2015 GMT
:
ubuntu@ubuntu:~$ openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 686155 (0xa784b)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA
Validity
Not Before: Dec 1 23:03:54 2014 GMT
Not After : Dec 5 14:21:24 2015 GMT
Subject: serialNumber=AEv6bwWEDDnubjaF1huAIm7G/hgmDTWE, OU=GT24051799, OU=See www.geotrust.com/resources/cps (c)14, OU=Domain Control Validated - QuickSSL(R), CN=a.contoso.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:48:ca:32:bb:e9:a3:f9:75:35:71:f2:c0:78:
2b:22:60:8d:36:91:20:46:d0:d4:09:d0:8d:fa:3e:
e2:bc:23:f6:c1:fc:03:2a:9a:79:da:12:e8:d2:1d:
b2:09:df:af:21:42:94:5c:88:68:43:51:57:40:26:
d1:b2:51:93:59:5e:ba:2f:41:de:c1:5c:04:e3:66:
a3:13:d5:87:de:71:83:cc:03:2a:06:c1:66:29:12:
c8:a5:32:91:74:0a:40:87:d4:e7:d8:32:c3:7e:aa:
57:75:c0:0e:19:75:27:9a:08:40:8c:1a:90:ab:e6:
3a:e7:8c:47:25:ec:d0:61:07:e2:da:a6:86:43:fa:
2b:40:0b:37:c2:63:7b:57:4e:fd:3a:54:ce:f9:c7:
b7:38:c1:2c:65:76:91:7e:84:85:90:c6:3e:65:5d:
e7:57:2f:2f:63:5a:ec:6b:77:6a:9e:9f:2b:f1:40:
c6:8f:14:77:ce:ee:3f:f1:e8:87:5f:a0:c0:18:39:
8b:63:df:a7:3a:68:39:c1:dc:9b:48:ec:65:75:07:
30:b2:6d:91:e8:42:41:cb:a7:33:64:01:21:e2:39:
ab:9d:64:7d:b2:24:2c:2c:69:b3:b1:36:ab:ed:93:
eb:3d:be:0f:2f:b3:13:47:78:ea:be:77:54:e2:be:
ba:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:8C:F4:D9:93:0A:47:BC:00:A0:4A:CE:4B:75:6E:A0:B6:B0:B2:7E:FC
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:a.contoso.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://gtssldv-crl.geotrust.com/crls/gtssldv.crl
X509v3 Subject Key Identifier:
B5:10:8A:28:BE:B2:E8:EA:D2:0C:A9:0B:78:BF:1A:4C:FF:CB:70:BE
X509v3 Basic Constraints: critical
CA:FALSE
Authority Information Access:
OCSP - URI:http://gtssldv-ocsp.geotrust.com
CA Issuers - URI:http://gtssldv-aia.geotrust.com/gtssldv.crt
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: http://www.geotrust.com/resources/cps
Signature Algorithm: sha1WithRSAEncryption
8c:da:2b:78:4e:bf:6e:d8:48:4f:2c:e5:5a:06:18:d7:39:99:
fd:29:9d:c4:c3:e4:6b:54:82:df:96:c2:84:49:e1:f6:2c:62:
e0:61:b8:5d:7c:ce:db:38:ab:5f:1c:79:e5:c3:d4:f1:35:2e:
6c:8e:a2:60:f1:69:9f:41:54:0d:f4:1c:76:5e:46:33:60:a1:
bb:22:a9:ca:a2:14:a2:6c:e5:c6:80:dd:cb:e7:0e:f2:8a:5e:
b0:e7:cb:d4:72:3d:01:4f:58:42:9c:7c:81:1f:6e:22:10:0f:
de:1c:d4:54:cd:8e:5c:4b:35:5f:5a:af:b0:78:9f:60:56:1b:
10:64:2d:b7:39:55:be:e2:14:b8:27:5c:af:0e:63:03:27:6a:
bd:a7:14:27:5d:fc:a3:d1:27:3b:e9:23:11:10:63:7d:77:2b:
b2:db:2e:14:d5:e6:eb:80:6d:fc:bd:af:bb:14:9d:28:9c:91:
a4:16:b5:4b:70:4d:54:df:5b:0f:3e:83:40:02:cd:56:fd:7a:
4c:a9:06:2b:45:40:ce:8e:ec:6c:6c:1b:b1:a8:c5:56:fd:60:
dc:f1:bc:7d:27:63:eb:b7:99:d9:ec:8f:63:d7:a0:b6:7b:ea:
b0:1e:b2:4c:89:0c:11:c4:c2:dd:1f:e7:ef:db:44:23:c8:52:
37:40:6a:10
Best Answer
Answer: The Win 7 operating on the "problem computer" had had its
c:\windows\system 32\drivers\etc\hosts
file edited. a.contoso.com was hard-coded to point to a particular IP address (say,AAA.BBB.CCC.90
). The site atAAA.BBB.CCC.90
still worked but it gave expired certificates. After creating a new site with new certificates (that oddly look the exact same as the old site) atAAA.BBB.CCC.145
, the site developers must have re-directed traffic bound for a.contoso.com to the new site atAAA.BBB.CCC.145
, which was serving valid certificates. I realized this by using running a trace route (tracert
) on one of the working computers which resolved a.contoso.com toAAA.BBB.CCC.145
. Runningtracert
on the "problem computer" yieldedAAA.BBB.CCC.90
. Browsing directly toAAA.BBB.CCC.145
on the problem computer resulted in a good site with a valid certificate! After I removed the line in host file of the "problem computer" directing traffic directly toAAA.BBB.CCC.90
, everything works just fine.Now, it seems that the problem wasn't actually with Win 7 certificates at all. The problem was with this machine directing its traffic to an old, obsolete site with old, expired certificates because the address of that site was hard-coded into its hosts file.
Thanks to everyone for helping me reach this conclusion and solve this problem.