43

I cannot access Wikipedia on both my Macs. macOS says that the intermediate certificate used to sign Wikipedia’s certificate (GlobalSign Organization Validation CA - SHA256 - G2) has been revoked.

enter image description here

I don’t believe that the certificate in question has been revoked, so I checked manually GlobalSign’s CRL and OCSP service and both tell me that the certificate is OK.

Are there other sources of CRLs that macOS can potentially use? Is there a way to ask Security Framework to tell me what exactly is wrong with the certificate in its opinion?

Improve this question
5
  • also seeing this for wikipedia / maxcdn / ...
    – Somatik
    Commented Oct 13, 2016 at 14:16
  • 1
    I've also encountered this on my Mac (Sierra) when visiting Wikipedia. It works on my iOS device though
    – Panda
    Commented Oct 13, 2016 at 14:58
  • 1
    Wikipedia is deploying on all sites a new cert that is unaffected by problems, right now: phabricator.wikimedia.org/T148045
    – pietrodn
    Commented Oct 13, 2016 at 17:38
  • 4
    None of the answers below even try to answer the question. All of them try to find a work-around...
    – klanomath
    Commented Oct 14, 2016 at 19:56
  • 1
    @klanomath I’d put it this way: everyone is trying to eliminate the consequences knowing the original cause, while the qeustion is how to diagnose the problem.
    – kirelagin
    Commented Oct 15, 2016 at 6:53

5 Answers 5

Reset to default
41

I tried crlrefresh rp and also manually deleting the OCSP cache with sudo rm /var/db/crls/*cache.db as documented by GlobalSign.

However, the cache seems to be in a different location on macOS 10.12 Sierra. The following command worked for me and resolved the problem:

$ sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM responses WHERE responderURI LIKE "%http://%.globalsign.com/%";'

I also tried deleting the whole database, but it does not seem to come back automatically.

If unsure, better just restore ~/Library/Keychains/*/ocspcache.sqlite3* (including -shm and -wal) from a backup before the OCSP servers started to give wrong replies, for example from yesterday.

Improve this answer
8
  • 3
    I'm using macOS Sierra, and this sqlite command fixed the problem for me too. I did not need to logout, or even quit the browser. I did make a backup copy of ocspcache.sqlite3 first.
    – Dan Reese
    Commented Oct 13, 2016 at 17:15
  • 1
    This fixed the Wikipedia issue on Safari, but Chrome still blocks me.
    – benr
    Commented Oct 13, 2016 at 17:19
  • The problem does seem to come back occasionally, but re-running that command fixes it again.
    – Dan Reese
    Commented Oct 13, 2016 at 17:20
  • Wow, and by "occasionally", I mean about every few minutes. Maybe that isn't a real fix after all.
    – Dan Reese
    Commented Oct 13, 2016 at 17:23
  • 1
    It works for me on Safari and also on Chrome. Chrome needed a restart of the browser.
    – pietrodn
    Commented Oct 13, 2016 at 17:25
20

Might be this, seems GlobalSign has got a problem with their OCSP. This is taken from their twitter (https://twitter.com/globalsign/status/786505261842247680?lang=da)

We are currently experiencing issues with our OCSP which is causing certificate warning messages. We aim to fix this as soon as possible.

And also

UPDATE: If you're a MAC user, please clear your cache with crlrefresh rp

or View and/or Delete CRL, OCSP Cache

Improve this answer
4
  • 1
    Actually, I have already tried crlrefresh rp and it does not seem to help. Anyway, what I’m looking for is a way to persuade macOS to tell me the exact reason why it thinks that the certificate is bad (be it OCSP or something else).
    – kirelagin
    Commented Oct 13, 2016 at 13:47
  • The impact will likely depend on whether the upstream issues have been resolved?
    – Andre M
    Commented Oct 13, 2016 at 15:18
  • Clearing caches didn't fix the issue for me but at least I have an attribution for the problem.
    – Jordan Thomas
    Commented Oct 13, 2016 at 16:31
  • There is now a press release of sorts: globalsign.com/en/customer-revocation-error
    – Petr Hudeček
    Commented Oct 13, 2016 at 20:22
0

Tried the instruction provided by Global Sign, but it didn't really helped me.

sudo rm /var/db/crls/*cache.db Didn't actually helped because there's another cache file crlcache2.db which didn't match the *cache.db criteria.

My solution was to also remove this file, and then reboot.

sudo rm /var/db/crls/crlcache2.db

I think it's safe to sudo rm /var/db/crls/* because the folder only holds cache files. But if you chose to do it, do it at your own risk.

Improve this answer
-1

The Question literally is "Is there a way to ask Security Framework to tell me what exactly is wrong with the certificate in its opinion?" But this is literally what the Security Framework is doing.

MacOS believes that certificate was revoked because an intermediate certificate in its chain of trust was (inadvertently) revoked. See GlobalSign screw-up cancels top websites' HTTPS certificates.

The error message you are seeing is telling you exactly which intermediate certificate was revoked. What more would you want to know?

Improve this answer
-3

The other option is to go to a site that you never use that uses globalsign, for example (for any english speakers) https://it.wikipedia.org (italian wikipedia) and when it comes up saying invalid cert explicitly trust the globalsign certificate until this CF is fixed properly

Improve this answer
2
  • 3
    This is a bad idea, IMO. I always take certificate warnings very seriously and I don't continue. What if OP was being MITM'd and they just blindly clicked through that warning?
    – grooveplex
    Commented Oct 14, 2016 at 8:41
  • 1
    Please don't do this. If that certificate is ever revoked for important reasons then your system will ignore that revocation until you delete the explicit trust. Flushing your OCSP cache is a much more effective and secure way to resolve this issue.
    – joshperry
    Commented Oct 14, 2016 at 14:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .