Opera Developer tools reports issues with site's certificate chain

In connection with topic about Safari and Firefox being unable to establish secure connection, decided to look at Opera and Vivaldi Developer tools.

The first time I checked a Vivaldi page the Security Overview indicated Page not secure but there were no error callouts beneath that! Subsequently returned there after looking in Opera and do not get that notice. Now I get
Security Overview
This page is secure (valid HTTPS).
Valid Certificate
The connection to this site is using a valid, trusted server certificate.
View certificate
Secure Connection
The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_ECDSA with P-256), and a strong cipher (AES_128_GCM).
Secure Resources
All resources on this page are served securely.

So I looked at Opera. Under Developer Tools, Security where it says
Security Overview
This page is not secure.
Certificate error
There are issues with this site’s certificate chain (net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION).

View certificate
Secure Connection
The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_ECDSA with P-256), and a strong cipher (AES_128_GCM).
Secure Resources
All resources on this page are served securely.

I get the same report for each of the main menu selections (Home, Play, etc)

Viewing the certificate, it is indicated as Cloudfair, valid, expiring 14Jan2018

I believe my Keychain Certificate preferences are default settings.

Supporting info:

This seems to be a problem on your side, since your client should look up the revocation status of the server certificate.
The certificate chain itself looks valid for me and Firefox doesn’t tell me anything about it being revoked or being unable to verify that.
Do you have similiar errors on other websites with a cloudflare certificate?

I do not know. When I look at the list of certificates in Keychain Access, Cloudflare dos not appear. What is listed is under System Roots: Baltimore Cybertrust Root. The only reason I know that is because the OGS issue revealed Cloudflare and that led to Baltimore. Originally I looked at the list for Cloudflare and…where the devil is it? Is Clodflare buried in any of the other ~300 certificates? How do I find out?

The only time I’ve had problems with certificates was at KGS where they weren’t getting renewed and I had to put an exception in Java and maybe a couple times at DGS when a renewal was overlooked.

I do not understand this stuff. It seems to me that if I played here using my versions of OSX and Safari without a problem for a number of days and then from the day of the OGS upgrade can not, I’d first look at what changed on OGS’s side. Even if the problem is at this end, how in the world dos it get debugged if you can not say what changed that might be revealing a problem. If I’m going to contact Apple Tech Support, I think they’d want a little extra info other than some piddly little website delivered an upgrade and then something doesn’t work.

Besides, all the problem reports ensuing from the upgrade do not instill confidence that the problem lies elsewhere. Is it possible that it is not OGS and is something in the certificates?

(net::ERR_CERT_UNABLE_TO_CHECK_REVOCATION) means a test of something failed. There was more than one certificate, what is tested where and how by what that results in such an error?

Note this: The error report says that there is an error in the certificate chain. It looks to me like there are three certificates in all. How do you know which one of those might be where the error is being detected?

If nothing at all changed in the certificates and nothing changed in my software I do not see how the problem is at my end. That seems like something happened in the middle. That might reveal a problem at my end. My ability to troubleshoot issues like this is limited.

Didn’t register “Firefox”. I have been unable to load OGS with Firefox as with Safari. Opera and Vivaldi work. Here’s what I get from Firefox:

Secure Connection Failed
The connection to online-go.com was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Show Site information tells me the connection is not secure and you have not granted the site any special permissions.

I can look at the Developer Tools, Debugger, and see relevant buzzwords but am unclear where, by what software, the problem is being detected. Why would both Safari and Firefox pick up on something those others don’t?

When I try loading https:online-go.com with Firefox I get these messages in Console:
2/18/17 7:53:00.313 PM Console[18246]: Marker - Feb 18, 2017, 7:53:00 PM
2/18/17 7:53:04.554 PM com.avast.proxy[269]: SecTrustEvaluate(): online-go.com: 7
2/18/17 7:53:04.557 PM com.avast.proxy[269]: SSL_accept(): Broken pipe

When I try with Safari I get:
2/18/17 7:56:56.388 PM Console[18246]: Marker - Feb 18, 2017, 7:56:56 PM
2/18/17 7:57:00.229 PM com.avast.proxy[269]: SecTrustEvaluate(): online-go.com: 7
2/18/17 7:57:00.231 PM com.avast.proxy[269]: SSL_accept(): Broken pipe
2/18/17 7:57:00.249 PM com.avast.proxy[269]: SSL_accept(): inappropriate fallback
2/18/17 7:57:00.269 PM com.avast.proxy[269]: SSL_accept(): wrong version number

Or if it has something to do with Avast (antivirus) why would it return an error when I use one browser but not another?

Additional info from Firefox. Page Info/Security:

I just ran OGS through ssllabs, here’s the result:

there are actually multiple chains and cert #4 doesn’t get trusted. But the others are and they’re status is good, so that shouldn’t be a problem.

That avast thing looks interesting. Seems like all your browsers go through it to verify the revocation status and somehow the connection collapses. So could you deactivate that thing and try again?

Also as you can see in the above link Cloudflare does not use an own root certificate, but is signed by Baltimore CyberTrust or COMODO, which is itself signed by AddTrust. That shouldn’t be a problem though.

1 Like

Okay, so now we know why there is a problem about checking revocation status, there’s an untrusted certificate. What is the point of having an untrusted certificate? I do not understand this stuff.

Avast is my antivirus thing. You think I should volunteer as sacrificial lamb, shut it off and then visit this site?? Convince me. How about OGS gets itself a bug-free certificate and we test that out?

Unanswered (by OGS) questions: What if anything changed about the certificate(s) before and after the upgrade? Why isn’t Certificate 4 trusted? When did it become untrusted?

Okay, here’s some stuff from Avast Help that relates to your question, in particular it mentions dropping the connection:

SSL/TLS scanning
The proxy is capable of scanning secured connections when enabled. Avast generates a “trusted”, and “untrusted” SSL CA certificates during installation. The trusted certificate goes into the System Roots keychain. On a secured connection, the proxy initiates the SSL handshake with the destination server, checks the SSL certificate, and sends a new CA certificate signed with the Avast “trusted” or “untrusted” label to the client.

The recreated certificate signing is done according to the following rules:

Re-signs verified certificates with a “trusted” CA certificate
Re-signs certificates that cannot be found or are self-signed with an “untrusted” CA certificate
Certificates that are expired, revoked, or invalid are not re-signed and the connection is dropped
Applications with hard-coded certificate storage like Dropbox do not work when SSL scanning is enabled unless the hosts they contact, such as client.dropbox.com are in the Avast preferences exclusion list.

The problem was encountered in the WebShield part of Avast. I entered an exception for site in Avast. I still got a problem: Safari can’t verify identity of online-go.com, certificate is invalid. Now the image of the bottom level certificate says it’s valid. Strange.