Revoked SSL certificate Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Come Celebrate our 10 Year Anniversary!SSL Error - unable to read server certificate from fileSSL Certificate Warning with UCC Certificate and Multiple SANsCurl: unable to get local issuer certificate. How to debug?CA certificate trouble with Squid on CentOS7SSL certificate working in chrome but not openssl s_client or curlZevenet Load Balancer - SSL CertificateNginx - Redirect a bunch of domains to a single domain, with SSLFTP over SSL: Verify return code: 21 (unable to verify the first certificate)OpenVPN service, run as root:root instead of nobody:nogroup?Custom Certificate Authority not recognised on Windows server / Cert shows as “self signed”

How to ask rejected full-time candidates to apply to teach individual courses?

Checking IFI enabled on SQL server below 2016

How to break 信じようとしていただけかも知れない into separate parts?

Who can become a wight?

Why did Bronn offer to be Tyrion Lannister's champion in trial by combat?

Protagonist's race is hidden - should I reveal it?

Weaponising the Grasp-at-a-Distance spell

Does the Pact of the Blade warlock feature allow me to customize the properties of the pact weapon I create?

How to keep bees out of canned beverages?

What *exactly* is electrical current, voltage, and resistance?

Is Vivien of the Wilds + Wilderness Reclamation a competitive combo?

Coin Game with infinite paradox

What is the ongoing value of the Kanban board to the developers as opposed to management

Will I be more secure with my own router behind my ISP's router?

Im stuck and having trouble with ¬P ∨ Q Prove: P → Q

How to calculate density of unknown planet?

How to mute a string and play another at the same time

What helicopter has the most rotor blades?

Sorting the characters in a utf-16 string in java

tabularx column has extra padding at right?

Does using the Inspiration rules for character defects encourage My Guy Syndrome?

Why did Europeans not widely domesticate foxes?

"Destructive force" carried by a B-52?

C variable type assert



Revoked SSL certificate



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!SSL Error - unable to read server certificate from fileSSL Certificate Warning with UCC Certificate and Multiple SANsCurl: unable to get local issuer certificate. How to debug?CA certificate trouble with Squid on CentOS7SSL certificate working in chrome but not openssl s_client or curlZevenet Load Balancer - SSL CertificateNginx - Redirect a bunch of domains to a single domain, with SSLFTP over SSL: Verify return code: 21 (unable to verify the first certificate)OpenVPN service, run as root:root instead of nobody:nogroup?Custom Certificate Authority not recognised on Windows server / Cert shows as “self signed”



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








7















We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK



To help handle our webhooks. We've started receiving the exceptions:



PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
 at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
 at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)


If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:



-----BEGIN CERTIFICATE-----
MIIHdzCCBl+gAwIBAgIQBHtmc7f0ru/ozCsjsr2YyjANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE5MDMyNzAwMDAwMFoXDTIxMDYwMjEy
MDAwMFowgfUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEYMBYGA1UECxMP
UGFydG5lciBTdXBwb3J0MSwwKgYDVQQDEyNtZXNzYWdldmVyaWZpY2F0aW9uY2Vy
dHMucGF5cGFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKo
k6Zr7AuPwsMwaTfBmv/ECGHU1/hjZ9VAdOBuolrKGql+TZ3NfZsu62Me8sdPuCjJ
R/8KUCJ/FtyFs/gVreg63zDqZLsHLBAR+6OcJR3yOJX1W4Y0ABdMA0i+iZFh/iUx
HHq6CZCnPlS2lvzJaS2UrzJ+mkPhCn1u2NRzys8FSKj/rn9ZLnT7CfgVvzabzobW
GvpHdXk+I3UieKyLkxZxlqJGWKN5KVTbPLU10F7H8RdO0f7deqt3tXT7eHIeEmBQ
6FZUIb3kt6qe4jTugXMqeS4JUiH9mhJTX1bC3PRl2TsnyjqgzKZZNfBXs/3IDHST
RElxn0603HnsWiyxn/ECAwEAAaOCA4AwggN8MB8GA1UdIwQYMBaAFD3TUKXWoK3u
80pgCmXTIdT4+NYPMB0GA1UdDgQWBBSkuNmXUDoHVayujFb0oeloO61qIDAuBgNV
HREEJzAlgiNtZXNzYWdldmVyaWZpY2F0aW9uY2VydHMucGF5cGFsLmNvbTAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1Ud
HwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWV2LXNl
cnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
LWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAgEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBATCB
iAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwDAYDVR0T
AQH/BAIwADCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHYAu9nfvB+KcbWTlCOX
qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFpvJhEdQAABAMARzBFAiEAprZz2cWH2zV4
lymEVimmwQUTp6QpeVL6ruCjqr45cp8CIHE2SD079OeyVyXzbN6lcCPAQscdF+to
3rLMebtmZ10dAHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFp
vJhE0QAABAMARjBEAiAboeCw/qNGNi/bQahj4LxufXCoLVDS7p60HpWwCzvo/gIg
C1MRFVPAjxQ8ZW1445+gO/YXt/mxRr1P2ZTGDaI2RKMAdQCHdb/nWXz4jEOZX73z
bv9WjUdWNv9KtWDBtOr/XqCDDwAAAWm8mEabAAAEAwBGMEQCIHGAUX3fYxOY0Kmf
5cE5rFdoBWkugpku5tdQdaHl3XkUAiBn0TtWXdCi2XC8AX9HsfmkUhNRxt0a4Qrc
aRHA2pEBsDANBgkqhkiG9w0BAQsFAAOCAQEAKstIrA+/RYCmv1tiaRwsnyfMeFa/
9axfNcqy/Ip3h4K9uk2R3h2QpOMm19a5+cdYssBXRULMes2Y7+7iCMSlEKug5lq7
1P3DpVZeqg4kkWvirE39Mrr894z9tuthVuDEkOZ99p8vJhoPWXqURCZNaBGTg7qI
xJh1zxoihRW8XYoP/ToX/wFolQcBU19PF25Sb2zx3aio7Nu6aNEAKWI/zavsDJWk
G5HgJsgsqRA2wJSIonhUL+g/Xpmiz0wrDWcj9py2tO6COUBkYwOPVW7DHm3yU7q7
pa7sNAPF/Rb0oxQMQ1lFwEBEIWaIlgRs34zNteZS3JZudGYjLiBvRGDoNA==
-----END CERTIFICATE-----


If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.



We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?






ssl windows-server-2012-r2 ssl-certificate x509







share|improve this question
























  • Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

    – Sergey Nudnov
    Apr 5 at 12:07












  • ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

    – Sergey Nudnov
    Apr 5 at 12:18

















7















We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK



To help handle our webhooks. We've started receiving the exceptions:



PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
 at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
 at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)


If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:



-----BEGIN CERTIFICATE-----
MIIHdzCCBl+gAwIBAgIQBHtmc7f0ru/ozCsjsr2YyjANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE5MDMyNzAwMDAwMFoXDTIxMDYwMjEy
MDAwMFowgfUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEYMBYGA1UECxMP
UGFydG5lciBTdXBwb3J0MSwwKgYDVQQDEyNtZXNzYWdldmVyaWZpY2F0aW9uY2Vy
dHMucGF5cGFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKo
k6Zr7AuPwsMwaTfBmv/ECGHU1/hjZ9VAdOBuolrKGql+TZ3NfZsu62Me8sdPuCjJ
R/8KUCJ/FtyFs/gVreg63zDqZLsHLBAR+6OcJR3yOJX1W4Y0ABdMA0i+iZFh/iUx
HHq6CZCnPlS2lvzJaS2UrzJ+mkPhCn1u2NRzys8FSKj/rn9ZLnT7CfgVvzabzobW
GvpHdXk+I3UieKyLkxZxlqJGWKN5KVTbPLU10F7H8RdO0f7deqt3tXT7eHIeEmBQ
6FZUIb3kt6qe4jTugXMqeS4JUiH9mhJTX1bC3PRl2TsnyjqgzKZZNfBXs/3IDHST
RElxn0603HnsWiyxn/ECAwEAAaOCA4AwggN8MB8GA1UdIwQYMBaAFD3TUKXWoK3u
80pgCmXTIdT4+NYPMB0GA1UdDgQWBBSkuNmXUDoHVayujFb0oeloO61qIDAuBgNV
HREEJzAlgiNtZXNzYWdldmVyaWZpY2F0aW9uY2VydHMucGF5cGFsLmNvbTAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1Ud
HwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWV2LXNl
cnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
LWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAgEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBATCB
iAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwDAYDVR0T
AQH/BAIwADCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHYAu9nfvB+KcbWTlCOX
qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFpvJhEdQAABAMARzBFAiEAprZz2cWH2zV4
lymEVimmwQUTp6QpeVL6ruCjqr45cp8CIHE2SD079OeyVyXzbN6lcCPAQscdF+to
3rLMebtmZ10dAHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFp
vJhE0QAABAMARjBEAiAboeCw/qNGNi/bQahj4LxufXCoLVDS7p60HpWwCzvo/gIg
C1MRFVPAjxQ8ZW1445+gO/YXt/mxRr1P2ZTGDaI2RKMAdQCHdb/nWXz4jEOZX73z
bv9WjUdWNv9KtWDBtOr/XqCDDwAAAWm8mEabAAAEAwBGMEQCIHGAUX3fYxOY0Kmf
5cE5rFdoBWkugpku5tdQdaHl3XkUAiBn0TtWXdCi2XC8AX9HsfmkUhNRxt0a4Qrc
aRHA2pEBsDANBgkqhkiG9w0BAQsFAAOCAQEAKstIrA+/RYCmv1tiaRwsnyfMeFa/
9axfNcqy/Ip3h4K9uk2R3h2QpOMm19a5+cdYssBXRULMes2Y7+7iCMSlEKug5lq7
1P3DpVZeqg4kkWvirE39Mrr894z9tuthVuDEkOZ99p8vJhoPWXqURCZNaBGTg7qI
xJh1zxoihRW8XYoP/ToX/wFolQcBU19PF25Sb2zx3aio7Nu6aNEAKWI/zavsDJWk
G5HgJsgsqRA2wJSIonhUL+g/Xpmiz0wrDWcj9py2tO6COUBkYwOPVW7DHm3yU7q7
pa7sNAPF/Rb0oxQMQ1lFwEBEIWaIlgRs34zNteZS3JZudGYjLiBvRGDoNA==
-----END CERTIFICATE-----


If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.



We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?






ssl windows-server-2012-r2 ssl-certificate x509







share|improve this question
























  • Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

    – Sergey Nudnov
    Apr 5 at 12:07












  • ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

    – Sergey Nudnov
    Apr 5 at 12:18













7












7








7








We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK



To help handle our webhooks. We've started receiving the exceptions:



PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
 at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
 at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)


If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:



-----BEGIN CERTIFICATE-----
MIIHdzCCBl+gAwIBAgIQBHtmc7f0ru/ozCsjsr2YyjANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE5MDMyNzAwMDAwMFoXDTIxMDYwMjEy
MDAwMFowgfUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEYMBYGA1UECxMP
UGFydG5lciBTdXBwb3J0MSwwKgYDVQQDEyNtZXNzYWdldmVyaWZpY2F0aW9uY2Vy
dHMucGF5cGFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKo
k6Zr7AuPwsMwaTfBmv/ECGHU1/hjZ9VAdOBuolrKGql+TZ3NfZsu62Me8sdPuCjJ
R/8KUCJ/FtyFs/gVreg63zDqZLsHLBAR+6OcJR3yOJX1W4Y0ABdMA0i+iZFh/iUx
HHq6CZCnPlS2lvzJaS2UrzJ+mkPhCn1u2NRzys8FSKj/rn9ZLnT7CfgVvzabzobW
GvpHdXk+I3UieKyLkxZxlqJGWKN5KVTbPLU10F7H8RdO0f7deqt3tXT7eHIeEmBQ
6FZUIb3kt6qe4jTugXMqeS4JUiH9mhJTX1bC3PRl2TsnyjqgzKZZNfBXs/3IDHST
RElxn0603HnsWiyxn/ECAwEAAaOCA4AwggN8MB8GA1UdIwQYMBaAFD3TUKXWoK3u
80pgCmXTIdT4+NYPMB0GA1UdDgQWBBSkuNmXUDoHVayujFb0oeloO61qIDAuBgNV
HREEJzAlgiNtZXNzYWdldmVyaWZpY2F0aW9uY2VydHMucGF5cGFsLmNvbTAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1Ud
HwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWV2LXNl
cnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
LWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAgEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBATCB
iAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwDAYDVR0T
AQH/BAIwADCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHYAu9nfvB+KcbWTlCOX
qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFpvJhEdQAABAMARzBFAiEAprZz2cWH2zV4
lymEVimmwQUTp6QpeVL6ruCjqr45cp8CIHE2SD079OeyVyXzbN6lcCPAQscdF+to
3rLMebtmZ10dAHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFp
vJhE0QAABAMARjBEAiAboeCw/qNGNi/bQahj4LxufXCoLVDS7p60HpWwCzvo/gIg
C1MRFVPAjxQ8ZW1445+gO/YXt/mxRr1P2ZTGDaI2RKMAdQCHdb/nWXz4jEOZX73z
bv9WjUdWNv9KtWDBtOr/XqCDDwAAAWm8mEabAAAEAwBGMEQCIHGAUX3fYxOY0Kmf
5cE5rFdoBWkugpku5tdQdaHl3XkUAiBn0TtWXdCi2XC8AX9HsfmkUhNRxt0a4Qrc
aRHA2pEBsDANBgkqhkiG9w0BAQsFAAOCAQEAKstIrA+/RYCmv1tiaRwsnyfMeFa/
9axfNcqy/Ip3h4K9uk2R3h2QpOMm19a5+cdYssBXRULMes2Y7+7iCMSlEKug5lq7
1P3DpVZeqg4kkWvirE39Mrr894z9tuthVuDEkOZ99p8vJhoPWXqURCZNaBGTg7qI
xJh1zxoihRW8XYoP/ToX/wFolQcBU19PF25Sb2zx3aio7Nu6aNEAKWI/zavsDJWk
G5HgJsgsqRA2wJSIonhUL+g/Xpmiz0wrDWcj9py2tO6COUBkYwOPVW7DHm3yU7q7
pa7sNAPF/Rb0oxQMQ1lFwEBEIWaIlgRs34zNteZS3JZudGYjLiBvRGDoNA==
-----END CERTIFICATE-----


If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.



We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?






ssl windows-server-2012-r2 ssl-certificate x509







share|improve this question
















We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK



To help handle our webhooks. We've started receiving the exceptions:



PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
 at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
 at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)


If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:



-----BEGIN CERTIFICATE-----
MIIHdzCCBl+gAwIBAgIQBHtmc7f0ru/ozCsjsr2YyjANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE5MDMyNzAwMDAwMFoXDTIxMDYwMjEy
MDAwMFowgfUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEYMBYGA1UECxMP
UGFydG5lciBTdXBwb3J0MSwwKgYDVQQDEyNtZXNzYWdldmVyaWZpY2F0aW9uY2Vy
dHMucGF5cGFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKo
k6Zr7AuPwsMwaTfBmv/ECGHU1/hjZ9VAdOBuolrKGql+TZ3NfZsu62Me8sdPuCjJ
R/8KUCJ/FtyFs/gVreg63zDqZLsHLBAR+6OcJR3yOJX1W4Y0ABdMA0i+iZFh/iUx
HHq6CZCnPlS2lvzJaS2UrzJ+mkPhCn1u2NRzys8FSKj/rn9ZLnT7CfgVvzabzobW
GvpHdXk+I3UieKyLkxZxlqJGWKN5KVTbPLU10F7H8RdO0f7deqt3tXT7eHIeEmBQ
6FZUIb3kt6qe4jTugXMqeS4JUiH9mhJTX1bC3PRl2TsnyjqgzKZZNfBXs/3IDHST
RElxn0603HnsWiyxn/ECAwEAAaOCA4AwggN8MB8GA1UdIwQYMBaAFD3TUKXWoK3u
80pgCmXTIdT4+NYPMB0GA1UdDgQWBBSkuNmXUDoHVayujFb0oeloO61qIDAuBgNV
HREEJzAlgiNtZXNzYWdldmVyaWZpY2F0aW9uY2VydHMucGF5cGFsLmNvbTAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1Ud
HwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWV2LXNl
cnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
LWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAgEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBATCB
iAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwDAYDVR0T
AQH/BAIwADCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHYAu9nfvB+KcbWTlCOX
qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFpvJhEdQAABAMARzBFAiEAprZz2cWH2zV4
lymEVimmwQUTp6QpeVL6ruCjqr45cp8CIHE2SD079OeyVyXzbN6lcCPAQscdF+to
3rLMebtmZ10dAHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFp
vJhE0QAABAMARjBEAiAboeCw/qNGNi/bQahj4LxufXCoLVDS7p60HpWwCzvo/gIg
C1MRFVPAjxQ8ZW1445+gO/YXt/mxRr1P2ZTGDaI2RKMAdQCHdb/nWXz4jEOZX73z
bv9WjUdWNv9KtWDBtOr/XqCDDwAAAWm8mEabAAAEAwBGMEQCIHGAUX3fYxOY0Kmf
5cE5rFdoBWkugpku5tdQdaHl3XkUAiBn0TtWXdCi2XC8AX9HsfmkUhNRxt0a4Qrc
aRHA2pEBsDANBgkqhkiG9w0BAQsFAAOCAQEAKstIrA+/RYCmv1tiaRwsnyfMeFa/
9axfNcqy/Ip3h4K9uk2R3h2QpOMm19a5+cdYssBXRULMes2Y7+7iCMSlEKug5lq7
1P3DpVZeqg4kkWvirE39Mrr894z9tuthVuDEkOZ99p8vJhoPWXqURCZNaBGTg7qI
xJh1zxoihRW8XYoP/ToX/wFolQcBU19PF25Sb2zx3aio7Nu6aNEAKWI/zavsDJWk
G5HgJsgsqRA2wJSIonhUL+g/Xpmiz0wrDWcj9py2tO6COUBkYwOPVW7DHm3yU7q7
pa7sNAPF/Rb0oxQMQ1lFwEBEIWaIlgRs34zNteZS3JZudGYjLiBvRGDoNA==
-----END CERTIFICATE-----


If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.



We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?






ssl windows-server-2012-r2 ssl-certificate x509




ssl windows-server-2012-r2 ssl-certificate x509






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 18 at 12:12









womble

86k18146205




86k18146205










asked Apr 5 at 11:51









Tom GullenTom Gullen

934722




934722












  • Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

    – Sergey Nudnov
    Apr 5 at 12:07












  • ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

    – Sergey Nudnov
    Apr 5 at 12:18

















  • Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

    – Sergey Nudnov
    Apr 5 at 12:07












  • ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

    – Sergey Nudnov
    Apr 5 at 12:18
















Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

– Sergey Nudnov
Apr 5 at 12:07






Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

– Sergey Nudnov
Apr 5 at 12:07














ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

– Sergey Nudnov
Apr 5 at 12:18





ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

– Sergey Nudnov
Apr 5 at 12:18










2 Answers
2






active

oldest

votes


















5














As a temporary solution, you could add this certificate to the Trusted People store on your server.



To do so:



  • copy/paste certificate into a .crt file;

  • double click on it from Windows Explorer;

  • select Install Certificate;


  • Store Location: Local Machine;


  • Place all certificates in the following store;


  • Browse and select Trusted People store

No need to block anything on the Firewall.



Attention!



Doing so presents a security risk for your communications! Please apply your due diligence there






share|improve this answer

























  • Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

    – Tom Gullen
    Apr 5 at 13:53






  • 2





    Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

    – Voo
    Apr 5 at 14:11












  • @Voo, thank you. Added a disclaimer to answer

    – Sergey Nudnov
    Apr 5 at 14:27











  • @Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

    – Voo
    Apr 7 at 16:59












  • Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

    – Sergey Nudnov
    Apr 7 at 17:16


















9














This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).



You can test yourself at: https://decoder.link/ocsp



Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.



You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.






share|improve this answer























  • Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

    – Tom Gullen
    Apr 5 at 13:19






  • 2





    Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

    – Sergey Nudnov
    Apr 5 at 13:30











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961681%2frevoked-ssl-certificate%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









5














As a temporary solution, you could add this certificate to the Trusted People store on your server.



To do so:



  • copy/paste certificate into a .crt file;

  • double click on it from Windows Explorer;

  • select Install Certificate;


  • Store Location: Local Machine;


  • Place all certificates in the following store;


  • Browse and select Trusted People store

No need to block anything on the Firewall.



Attention!



Doing so presents a security risk for your communications! Please apply your due diligence there






share|improve this answer

























  • Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

    – Tom Gullen
    Apr 5 at 13:53






  • 2





    Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

    – Voo
    Apr 5 at 14:11












  • @Voo, thank you. Added a disclaimer to answer

    – Sergey Nudnov
    Apr 5 at 14:27











  • @Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

    – Voo
    Apr 7 at 16:59












  • Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

    – Sergey Nudnov
    Apr 7 at 17:16















5














As a temporary solution, you could add this certificate to the Trusted People store on your server.



To do so:



  • copy/paste certificate into a .crt file;

  • double click on it from Windows Explorer;

  • select Install Certificate;


  • Store Location: Local Machine;


  • Place all certificates in the following store;


  • Browse and select Trusted People store

No need to block anything on the Firewall.



Attention!



Doing so presents a security risk for your communications! Please apply your due diligence there






share|improve this answer

























  • Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

    – Tom Gullen
    Apr 5 at 13:53






  • 2





    Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

    – Voo
    Apr 5 at 14:11












  • @Voo, thank you. Added a disclaimer to answer

    – Sergey Nudnov
    Apr 5 at 14:27











  • @Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

    – Voo
    Apr 7 at 16:59












  • Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

    – Sergey Nudnov
    Apr 7 at 17:16













5












5








5







As a temporary solution, you could add this certificate to the Trusted People store on your server.



To do so:



  • copy/paste certificate into a .crt file;

  • double click on it from Windows Explorer;

  • select Install Certificate;


  • Store Location: Local Machine;


  • Place all certificates in the following store;


  • Browse and select Trusted People store

No need to block anything on the Firewall.



Attention!



Doing so presents a security risk for your communications! Please apply your due diligence there






share|improve this answer















As a temporary solution, you could add this certificate to the Trusted People store on your server.



To do so:



  • copy/paste certificate into a .crt file;

  • double click on it from Windows Explorer;

  • select Install Certificate;


  • Store Location: Local Machine;


  • Place all certificates in the following store;


  • Browse and select Trusted People store

No need to block anything on the Firewall.



Attention!



Doing so presents a security risk for your communications! Please apply your due diligence there







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 5 at 14:26

























answered Apr 5 at 13:24









Sergey NudnovSergey Nudnov

1765




1765












  • Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

    – Tom Gullen
    Apr 5 at 13:53






  • 2





    Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

    – Voo
    Apr 5 at 14:11












  • @Voo, thank you. Added a disclaimer to answer

    – Sergey Nudnov
    Apr 5 at 14:27











  • @Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

    – Voo
    Apr 7 at 16:59












  • Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

    – Sergey Nudnov
    Apr 7 at 17:16

















  • Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

    – Tom Gullen
    Apr 5 at 13:53






  • 2





    Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

    – Voo
    Apr 5 at 14:11












  • @Voo, thank you. Added a disclaimer to answer

    – Sergey Nudnov
    Apr 5 at 14:27











  • @Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

    – Voo
    Apr 7 at 16:59












  • Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

    – Sergey Nudnov
    Apr 7 at 17:16
















Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

– Tom Gullen
Apr 5 at 13:53





Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

– Tom Gullen
Apr 5 at 13:53




2




2





Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

– Voo
Apr 5 at 14:11






Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

– Voo
Apr 5 at 14:11














@Voo, thank you. Added a disclaimer to answer

– Sergey Nudnov
Apr 5 at 14:27





@Voo, thank you. Added a disclaimer to answer

– Sergey Nudnov
Apr 5 at 14:27













@Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

– Voo
Apr 7 at 16:59






@Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

– Voo
Apr 7 at 16:59














Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

– Sergey Nudnov
Apr 7 at 17:16





Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

– Sergey Nudnov
Apr 7 at 17:16













9














This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).



You can test yourself at: https://decoder.link/ocsp



Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.



You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.






share|improve this answer























  • Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

    – Tom Gullen
    Apr 5 at 13:19






  • 2





    Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

    – Sergey Nudnov
    Apr 5 at 13:30















9














This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).



You can test yourself at: https://decoder.link/ocsp



Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.



You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.






share|improve this answer























  • Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

    – Tom Gullen
    Apr 5 at 13:19






  • 2





    Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

    – Sergey Nudnov
    Apr 5 at 13:30













9












9








9







This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).



You can test yourself at: https://decoder.link/ocsp



Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.



You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.






share|improve this answer













This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).



You can test yourself at: https://decoder.link/ocsp



Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.



You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 5 at 12:11









unNamedunNamed

2267




2267












  • Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

    – Tom Gullen
    Apr 5 at 13:19






  • 2





    Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

    – Sergey Nudnov
    Apr 5 at 13:30

















  • Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

    – Tom Gullen
    Apr 5 at 13:19






  • 2





    Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

    – Sergey Nudnov
    Apr 5 at 13:30
















Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

– Tom Gullen
Apr 5 at 13:19





Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

– Tom Gullen
Apr 5 at 13:19




2




2





Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

– Sergey Nudnov
Apr 5 at 13:30





Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

– Sergey Nudnov
Apr 5 at 13:30

















draft saved

draft discarded
















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961681%2frevoked-ssl-certificate%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Adding axes to figuresAdding axes labels to LaTeX figuresLaTeX equivalent of ConTeXt buffersRotate a node but not its content: the case of the ellipse decorationHow to define the default vertical distance between nodes?TikZ scaling graphic and adjust node position and keep font sizeNumerical conditional within tikz keys?adding axes to shapesAlign axes across subfiguresAdding figures with a certain orderLine up nested tikz enviroments or how to get rid of themAdding axes labels to LaTeX figures

Image
Fear of getting stuck on one programming language / technology that is not used in my country Is there a single word describing earning money through any means? Why do we read the Megillah by night and by day? Pre-mixing cryogenic fuels and using only one fuel tank Is the U.S. Code copyrighted by the Government? Should I outline or discovery write my stories? What is this called? Old film camera viewer? Does the expansion of the universe explain why the universe doesn't collapse? Removing files under particular conditions (number of files, file age) Argument list too long when zipping large list of certain files in a folder When a Cleric spontaneously casts a Cure Light Wounds spell, will a Pearl of Power recover the original spell or Cure Light Wounds? Non-trope happy ending? Is it better practice to read straight from sheet music rather than memorize it? Do Legal Documents Require Signing In Standard Pen Colors? Does an advisor owe his/her student anyt...
Read more

Tähtien Talli Jäsenet | Lähteet | NavigointivalikkoSuomen Hippos – Tähtien Talli

Image
RaviurheiluUrheilun kunniagalleriat Suomen HippoksenravihevostenLämminverisiäsuomenhevosiaSuomen raviurheilunBrad de Veluwe Tähtien Talli on vuonna 1995 perustettu Suomen Hippoksen ylläpitämä suomalaisten ravihevosten kunniagalleria. Tähtien Tallissa on toistaiseksi yhteensä 20 hevosta. Lämminverisiä galleriassa on kymmenen ja suomenhevosia kymmenen. Ulkomailla syntyneitä hevosia on mukana kolme. Vaikka Suomen raviurheilun perinteet ulottuvat jo 1800-luvun puolelle, painottuvat Tähtien Tallien valinnat viimeisten 20-30 vuoden aikana kilpailleisiin hevosiin. Viimeisin kunnianosoituksen saanut hevonen on Brad de Veluwe joka liitettiin Tähtien Talliin vuoden 2015 Ravigaalassa. Jäsenet | Reipas vuoden 1958 Kuninkuusraveissa Lahdessa. Passionate Kemp lämminveristen Suomen mestaruuden voittoloimi yllään. Hevonen Kilpailuvuodet Kasvattaja Valinta- vuosi Charme Asserdal 1975–1981 Erik Andersson 1995...
Read more

Do these cracks on my tires look bad? The Next CEO of Stack OverflowDry rot tire should I replace?Having to replace tiresFishtailed so easily? Bad tires? ABS?Filling the tires with something other than air, to avoid puncture hassles?Used Michelin tires safe to install?Do these tyre cracks necessitate replacement?Rumbling noise: tires or mechanicalIs it possible to fix noisy feathered tires?Are bad winter tires still better than summer tires in winter?Torque converter failure - Related to replacing only 2 tires?Why use snow tires on all 4 wheels on 2-wheel-drive cars?

Image
Small nick on power cord from an electric alarm clock, and copper wiring exposed but intact Why do we say “un seul M” and not “une seule M” even though M is a “consonne”? Read/write a pipe-delimited file line by line with some simple text manipulation Free fall ellipse or parabola? Why did the Drakh emissary look so blurred in S04:E11 "Lines of Communication"? A hang glider, sudden unexpected lift to 25,000 feet altitude, what could do this? Planeswalker Ability and Death Timing Which acid/base does a strong base/acid react when added to a buffer solution? Is the 21st century's idea of "freedom of speech" based on precedent? Shortening a title without changing its meaning Man transported from Alternate World into ours by a Neutrino Detector Is it reasonable to ask other researchers to send me their previous grant applications? Find a path from s to t using as few red nodes as possible What difference does it make matching a w...
Read more