StartSSL certificate gives SEC_ERROR_REVOKED_CERTIFICATE in Firefox and ERR_CERT_AUTHORITY_INVALID in Chrome

I have some bad news for you. StartSSL's certificates are no longer trusted by Chrome, Firefox, and soon other browsers, beginning with newly issued certificates first. StartSSL won't tell you this of course and will happily sell you new certs, continuing their extremely shady pattern of behaviour.

At this point all I can recommend is damage control by purchasing another wildcard cert (assuming you won't/can't use Certbot?) from somewhere like cheapsslsecurity.com. No affiliation, just a previous customer and they were cheap and easy to use.

Your new certificate is no good any more, and you must replace it.


StartSSL confirmed that this is because of the partially revoked StartCom root certificate. They are working on getting their root certificate fully trusted by browsers again. It sounds like end of February would be the earliest time frame, so not in time to help my certs that expire in two weeks. :-(

To: Stephen Ostermiller,

This electronic mail message was created by StartCom's Administration Personnel:

Hello,

All certificates issued before 21.10.2016 are not affected. Certificates issued after 21.10.2016 are distrusted in Chrome, Firefox and Safari browsers.

Official document about distrust > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

We are working hard on remediation plan (https://bugzilla.mozilla.org/show_bug.cgi?id=1311832), and we are doing everything to regain trust ASAP. One of the steps already fully done - https://startssl.com/NewsDetails?date=20160919

We have some delays with an interim solution but will have more information only later in February.

Please accept our apologies for the inconvenience.

Please do not reply to this email. This is an unmonitored email address, and replies to this email cannot be responded to or read. If you have any question or comments, just click Here ((https://startssl.com/reply) to send your question to us, thanks.

Best Regards
StartComâ„¢ Certification Authority

Qualys SSL Labs

As to why Qualys SSL Labs doesn't report the error, I found a thread in their forums that says that they would have to hard code a specific case for it because the revokation was not handled in the normal way. They have not done so yet, but they have a bug open to do so.

CA was not ordinary revoked, so there is no way of knowing just looking at OCSP or CRL for revoked certificates. StartCom has according to Mozilla, Google and Apple violated several rules, but because StartCom is one of the leading certificate authority it would be just too big action to simply revoke CA certificate, millions of web pages would stop working. They decided that they will stop trusting new issued certificates by this CA starting with new version of browser. This was announced like two months ago, so web administrators have had time to get new certificate from other CA.

This not to trust change of CA is hard-coded in NEW versions of browsers, so in order to have some useful results on ssllabs.com, this rules should also be hard-coded in test. Not the most pretties solution, but it looks the only one.

Firefox

Mozilla Security Blog: Distrusting New WoSign and StartCom Certificates

Chrome

Google and Chrome Distrusting WoSign and StartCom Certificates

Chrome is removing gradually dis-trusting these certificates with subsequent browser releases.

  • Chrome 56 distrusts all certificates issued after October 21, 2016.
  • Chrome 57 also distrusts all old certificates unless the site is in the Alexa top one million sites.
  • Chrome 58 also distrusts all old certificates unless the site is in the Alexa top 500,000.
  • Chrome 61 distrusts ALL certificates signed by StartSSL and WoSign

Safari

Apple and Safari Blocking Trust for WoSign CA Free SSL Certificate G2

The end of StartCom

I received the following email from StartCom about them shutting down:

Dear customer,

As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.

The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcom's website.

StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years.

StartCom would like to thank you for your support during this difficult time.

StartCom is contacting some other CAs to provide you with the certificates needed. In case you don't want us to provide you an alternative, please, contact us at [email protected]

Please let us know if you need any further assistance with the transition process. We deeply apologize for any inconveniences that this may cause.

Best regards, StartCom Certification Authority