sébastienfromquebec

Q: Invalid Certificate on every secured website

Hi,

 

I've just updated to 10.7.4 with Safari 5.1.7 and after the update I'm always getting an Invalid Certificate for secured website.

 

www.paypal.com

every banking sites

etc

 

The content is not entirely loaded even if I click "continue".

 

I don't know if it related but I can't install any Extensions in Safari. I had ClickToFlash and 1Password and neither can be reinstalled after the update. I got a message telling me that the extension cannot be installed.

 

Thank you

MacBook Air, Mac OS X (10.7.4)

Posted on May 10, 2012 12:56 PM

Close

Q: Invalid Certificate on every secured website

  • All replies
  • Helpful answers

Page 1 of 10 last Next
  • by Linc Davis,Helpful

    Linc Davis Linc Davis May 10, 2012 3:06 PM in response to sébastienfromquebec
    Level 10 (207,958 points)
    Applications
    May 10, 2012 3:06 PM in response to sébastienfromquebec

    Are the current date (including the year) and time shown on your system clock? If not, correct them and try again.

     

    Otherwise, launch the Activity Monitor application in any of the following ways:

     

    Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

     

    In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

     

    If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Activity Monitor in the page that opens.

     

    Select All Processes from the menu in the toolbar, if not already selected. Enter "ocspd" (without the quotes) in the "Filter" text field. Is a process with that name listed?

     

    If not, select Go ▹ Go to Folder… from the Finder menu bar. In the text box that opens, enter

     

    /var/db/crls

     

    From the folder that opens, move these two files to the Trash:

     

    crlcache.db

    ocspcache.db

     

    You’ll be prompted for your administrator password when you do this. Then reboot, empty the Trash, and try again.

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    [If this doesn’t work, it’s something like “LittleSnitch” or “Hands Off.” Test in safe mode.]

  • by sébastienfromquebec,

    sébastienfromquebec sébastienfromquebec May 11, 2012 5:57 AM in response to Linc Davis
    Level 1 (0 points)
    May 11, 2012 5:57 AM in response to Linc Davis

    Thank you for your reply but I found that the certificates are "invalid" only when i'm at work (behind ISA server proxy). When I do tethering with my iPhone the certificates are not invalid.

     

    Is there a communication with servers on the internet to identify and valid enterprise class certificates ?

  • by Linc Davis,

    Linc Davis Linc Davis May 11, 2012 6:14 AM in response to sébastienfromquebec
    Level 10 (207,958 points)
    Applications
    May 11, 2012 6:14 AM in response to sébastienfromquebec

    Yes.

  • by sébastienfromquebec,

    sébastienfromquebec sébastienfromquebec May 11, 2012 6:21 AM in response to Linc Davis
    Level 1 (0 points)
    May 11, 2012 6:21 AM in response to Linc Davis

    Do you know where I could find documentation about that protocol?

  • by Linc Davis,

    Linc Davis Linc Davis May 11, 2012 6:44 AM in response to sébastienfromquebec
    Level 10 (207,958 points)
    Applications
    May 11, 2012 6:44 AM in response to sébastienfromquebec
  • by marc from white river junction,

    marc from white river junction marc from white river junction May 11, 2012 6:53 AM in response to Linc Davis
    Level 1 (0 points)
    May 11, 2012 6:53 AM in response to Linc Davis

    Hi Linc,

     

    I'm experiencing the same issue, but I'm not behind any proxy.  The problem first occurred when I updated to OS X 10.7.4 and Safari 5.1.6 and the problem remains after upgrading to Safari 5.1.7.  I do not have Little Snitch or anything similar installed.  System date and time are correct, "ocspd" appears in Activity Monitor.  I have deleted the two .db files in /var/db/clrs as indicated with no effect.  Any ideas?

  • by sébastienfromquebec,

    sébastienfromquebec sébastienfromquebec May 11, 2012 7:05 AM in response to Linc Davis
    Level 1 (0 points)
    May 11, 2012 7:05 AM in response to Linc Davis

    It's weird because since Lion OCSP should be enabled and I never had problem with certificates before 10.7.4 . Maybe OCSPD and proxy authentication is broken.

  • by Linc Davis,

    Linc Davis Linc Davis May 11, 2012 9:23 AM in response to sébastienfromquebec
    Level 10 (207,958 points)
    Applications
    May 11, 2012 9:23 AM in response to sébastienfromquebec

    It's working for me.

  • by sébastienfromquebec,

    sébastienfromquebec sébastienfromquebec May 11, 2012 9:50 AM in response to Linc Davis
    Level 1 (0 points)
    May 11, 2012 9:50 AM in response to Linc Davis

    Are you behind an authenticated proxy ?

  • by Linc Davis,

    Linc Davis Linc Davis May 11, 2012 9:55 AM in response to sébastienfromquebec
    Level 10 (207,958 points)
    Applications
    May 11, 2012 9:55 AM in response to sébastienfromquebec

    No.

  • by Mac Admin1,

    Mac Admin1 Mac Admin1 May 14, 2012 3:40 AM in response to sébastienfromquebec
    Level 1 (0 points)
    May 14, 2012 3:40 AM in response to sébastienfromquebec

    I have(had) the same issue, Davis was right, ocspd was not running after update to 10.7.4.

    After performing the suggested steps the issue with Safari disappeared - almost... still, often I have to reload the https page because it would not finish loading by itself. But at least I'm not getting the certificate warning anymore.

     

    However, the certificate warning in Mail.app remains each time I launch it:

     

    Mail can't verify the identity of exampledomain.com

     

    I have the required certificates in my keychain and they are set to always trust.

    I have a couple of  email addresses hosted on different email servers. Mail.app does not complain on ones hosted by gmail for example,

    but it does on 2 other email addresses that are hosted by Communigate Pro email server.

     

    Let me note this is happening since updating to 10.7.4, never had this before on 10.7.1-2-3

  • by Robke,

    Robke Robke May 14, 2012 4:27 AM in response to sébastienfromquebec
    Level 1 (0 points)
    May 14, 2012 4:27 AM in response to sébastienfromquebec

    I'm having the same issue. I reset my keychain, removed crlcache.db and ocspcache.db, and rebooted.

    I'm also behind a corporate proxy.

     

    When I go to mail.google.com I get the 'invalid certificate' sheet: the issuer certifcate 'Thawte SGC CA' is marked as valid, but for the certificate 'mail.google.com' it says: 'This certificate has an invalid issuer'.

     

    This is since the upgrade to 10.7.4, so I guess something broke in the handling of proxy certificates. This is not only happening in Safari, but in most applications which connect via HTTPS (Twitter, Reeder, Google Notifier, …).

     

    I've submitted this as Bug ID# 11444256.

    Schermafbeelding 2012-05-14 om 13.17.00.pngSchermafbeelding 2012-05-14 om 13.17.05.png

  • by dbajohn,

    dbajohn dbajohn May 14, 2012 5:53 AM in response to sébastienfromquebec
    Level 1 (10 points)
    May 14, 2012 5:53 AM in response to sébastienfromquebec

    Same problem with slight twist.  The error message in the invalid certificate is "This certificate cannot be used (unsupported key length).  Very annoying as I'm at work and cannot access some critical sites using Chrome.  Some work in Safari.  I cannot figure out a pattern of why one site works and another does not.  This definitly is related to the os/x 10.7.4 upgrade as I was working on some of these sites before upgrading this morning. 

     

    Any help would be appreciated.

  • by sébastienfromquebec,

    sébastienfromquebec sébastienfromquebec May 14, 2012 6:00 AM in response to Robke
    Level 1 (0 points)
    May 14, 2012 6:00 AM in response to Robke

    I will wait update of your service request.

     

    In the meantime I will request a modification in the ISA server to accept anonymously access to the major OCPS and CRL url.

     

    I think OPCSD didn't understant anymore the proxy authentication. Little snitch showing me OPCSD trying to connect to the proxy.

Page 1 of 10 last Next