Revoked SSL certificate Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Come Celebrate our 10 Year Anniversary!SSL Error - unable to read server certificate from fileSSL Certificate Warning with UCC Certificate and Multiple SANsCurl: unable to get local issuer certificate. How to debug?CA certificate trouble with Squid on CentOS7SSL certificate working in chrome but not openssl s_client or curlZevenet Load Balancer - SSL CertificateNginx - Redirect a bunch of domains to a single domain, with SSLFTP over SSL: Verify return code: 21 (unable to verify the first certificate)OpenVPN service, run as root:root instead of nobody:nogroup?Custom Certificate Authority not recognised on Windows server / Cert shows as “self signed”

How to ask rejected full-time candidates to apply to teach individual courses?

Checking IFI enabled on SQL server below 2016

How to break 信じようとしていただけかも知れない into separate parts?

Who can become a wight?

Why did Bronn offer to be Tyrion Lannister's champion in trial by combat?

Protagonist's race is hidden - should I reveal it?

Weaponising the Grasp-at-a-Distance spell

Does the Pact of the Blade warlock feature allow me to customize the properties of the pact weapon I create?

How to keep bees out of canned beverages?

What *exactly* is electrical current, voltage, and resistance?

Is Vivien of the Wilds + Wilderness Reclamation a competitive combo?

Coin Game with infinite paradox

What is the ongoing value of the Kanban board to the developers as opposed to management

Will I be more secure with my own router behind my ISP's router?

Im stuck and having trouble with ￢P ∨ Q Prove: P → Q

How to calculate density of unknown planet?

How to mute a string and play another at the same time

What helicopter has the most rotor blades?

Sorting the characters in a utf-16 string in java

tabularx column has extra padding at right?

Does using the Inspiration rules for character defects encourage My Guy Syndrome?

Why did Europeans not widely domesticate foxes?

"Destructive force" carried by a B-52?

C variable type assert

Revoked SSL certificate

Announcing the arrival of Valued Associate #679: Cesar Manara

Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)

Come Celebrate our 10 Year Anniversary!SSL Error - unable to read server certificate from fileSSL Certificate Warning with UCC Certificate and Multiple SANsCurl: unable to get local issuer certificate. How to debug?CA certificate trouble with Squid on CentOS7SSL certificate working in chrome but not openssl s_client or curlZevenet Load Balancer - SSL CertificateNginx - Redirect a bunch of domains to a single domain, with SSLFTP over SSL: Verify return code: 21 (unable to verify the first certificate)OpenVPN service, run as root:root instead of nobody:nogroup?Custom Certificate Authority not recognised on Windows server / Cert shows as “self signed”

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK

To help handle our webhooks. We've started receiving the exceptions:

PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
 at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
 at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)

If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:

If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.

We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?

edited Apr 18 at 12:12

womble♦

86k18146205

asked Apr 5 at 11:51

Tom Gullen

934722

Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

– Sergey Nudnov
Apr 5 at 12:07

ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

– Sergey Nudnov
Apr 5 at 12:18

add a comment |

We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK

To help handle our webhooks. We've started receiving the exceptions:

PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
 at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
 at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)

If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:

If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.

We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?

edited Apr 18 at 12:12

womble♦

86k18146205

asked Apr 5 at 11:51

Tom Gullen

934722

Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

– Sergey Nudnov
Apr 5 at 12:07

ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

– Sergey Nudnov
Apr 5 at 12:18

add a comment |

We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK

To help handle our webhooks. We've started receiving the exceptions:

PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
 at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
 at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)

If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:

If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.

We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?

edited Apr 18 at 12:12

womble♦

86k18146205

asked Apr 5 at 11:51

Tom Gullen

934722

We're using Paypal SDK here:
https://github.com/paypal/PayPal-NET-SDK

To help handle our webhooks. We've started receiving the exceptions:

PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
 at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
 at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)

If we inspect the certificate file at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec we get the file:

If we inspect the X509Chain of this certificate, it's invalid with the error:
FalseChain error: Revoked The certificate is revoked.

We're using Windows Server 2012 R2 Datacenter, is there any way to stop this exception from a server config point of view in any way at all?

ssl windows-server-2012-r2 ssl-certificate x509

edited Apr 18 at 12:12

womble♦

86k18146205

asked Apr 5 at 11:51

Tom Gullen

934722

edited Apr 18 at 12:12

womble♦

86k18146205

asked Apr 5 at 11:51

Tom Gullen

934722

edited Apr 18 at 12:12

womble♦

86k18146205

edited Apr 18 at 12:12

womble♦

86k18146205

edited Apr 18 at 12:12

womble♦

86k18146205

asked Apr 5 at 11:51

Tom Gullen

934722

asked Apr 5 at 11:51

Tom Gullen

934722

asked Apr 5 at 11:51

Tom Gullen

934722

Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

– Sergey Nudnov
Apr 5 at 12:07

ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

– Sergey Nudnov
Apr 5 at 12:18

add a comment |

Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

– Sergey Nudnov
Apr 5 at 12:07

ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

– Sergey Nudnov
Apr 5 at 12:18

Could you copy/paste this certificate in a .crt file, double click on it in Windows Explorer on your server and advise what certificate from a chain has been revoked. I have tested your certificate on my kept up-to-date Windows 10, and it found no problems. Also I tested the CRL list of a CA issued this certificate, and your certificate is not in that list

– Sergey Nudnov
Apr 5 at 12:07

ups, my mistake, checked wrong CRL. Yes the certificate is indeed revoked just recently: ‎Tuesday, ‎April ‎2, ‎2019 4:03:37 PM. PayPal should take care on that

– Sergey Nudnov
Apr 5 at 12:18

add a comment |

2 Answers
2

active

oldest

votes

As a temporary solution, you could add this certificate to the Trusted People store on your server.

To do so:

copy/paste certificate into a .crt file;

double click on it from Windows Explorer;

select Install Certificate;

Store Location: Local Machine;

Place all certificates in the following store;

Browse and select Trusted People store

No need to block anything on the Firewall.

Attention!

Doing so presents a security risk for your communications! Please apply your due diligence there

edited Apr 5 at 14:26

answered Apr 5 at 13:24

Sergey Nudnov

1765

Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

– Tom Gullen
Apr 5 at 13:53

2

Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

– Voo
Apr 5 at 14:11

@Voo, thank you. Added a disclaimer to answer

– Sergey Nudnov
Apr 5 at 14:27

@Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

– Voo
Apr 7 at 16:59

Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

– Sergey Nudnov
Apr 7 at 17:16

|
show 2 more comments

This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).

You can test yourself at: https://decoder.link/ocsp

Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.

You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.

answered Apr 5 at 12:11

unNamed

2267

Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

– Tom Gullen
Apr 5 at 13:19

2

Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

– Sergey Nudnov
Apr 5 at 13:30

add a comment |

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961681%2frevoked-ssl-certificate%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

As a temporary solution, you could add this certificate to the Trusted People store on your server.

To do so:

copy/paste certificate into a .crt file;

double click on it from Windows Explorer;

select Install Certificate;

Store Location: Local Machine;

Place all certificates in the following store;

Browse and select Trusted People store

No need to block anything on the Firewall.

Attention!

Doing so presents a security risk for your communications! Please apply your due diligence there

edited Apr 5 at 14:26

answered Apr 5 at 13:24

Sergey Nudnov

1765

Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

– Tom Gullen
Apr 5 at 13:53

2

Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

– Voo
Apr 5 at 14:11

@Voo, thank you. Added a disclaimer to answer

– Sergey Nudnov
Apr 5 at 14:27

@Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

– Voo
Apr 7 at 16:59

Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

– Sergey Nudnov
Apr 7 at 17:16

|
show 2 more comments

As a temporary solution, you could add this certificate to the Trusted People store on your server.

To do so:

copy/paste certificate into a .crt file;

double click on it from Windows Explorer;

select Install Certificate;

Store Location: Local Machine;

Place all certificates in the following store;

Browse and select Trusted People store

No need to block anything on the Firewall.

Attention!

Doing so presents a security risk for your communications! Please apply your due diligence there

edited Apr 5 at 14:26

answered Apr 5 at 13:24

Sergey Nudnov

1765

Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

– Tom Gullen
Apr 5 at 13:53

2

Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

– Voo
Apr 5 at 14:11

@Voo, thank you. Added a disclaimer to answer

– Sergey Nudnov
Apr 5 at 14:27

@Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

– Voo
Apr 7 at 16:59

Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

– Sergey Nudnov
Apr 7 at 17:16

|
show 2 more comments

As a temporary solution, you could add this certificate to the Trusted People store on your server.

To do so:

copy/paste certificate into a .crt file;

double click on it from Windows Explorer;

select Install Certificate;

Store Location: Local Machine;

Place all certificates in the following store;

Browse and select Trusted People store

No need to block anything on the Firewall.

Attention!

Doing so presents a security risk for your communications! Please apply your due diligence there

edited Apr 5 at 14:26

answered Apr 5 at 13:24

Sergey Nudnov

1765

As a temporary solution, you could add this certificate to the Trusted People store on your server.

To do so:

copy/paste certificate into a .crt file;

double click on it from Windows Explorer;

select Install Certificate;

Store Location: Local Machine;

Place all certificates in the following store;

Browse and select Trusted People store

No need to block anything on the Firewall.

Attention!

Doing so presents a security risk for your communications! Please apply your due diligence there

edited Apr 5 at 14:26

answered Apr 5 at 13:24

Sergey Nudnov

1765

edited Apr 5 at 14:26

answered Apr 5 at 13:24

Sergey Nudnov

1765

answered Apr 5 at 13:24

Sergey Nudnov

1765

answered Apr 5 at 13:24

Sergey Nudnov

1765

Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

– Tom Gullen
Apr 5 at 13:53

2

Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

– Voo
Apr 5 at 14:11

@Voo, thank you. Added a disclaimer to answer

– Sergey Nudnov
Apr 5 at 14:27

@Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

– Voo
Apr 7 at 16:59

Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

– Sergey Nudnov
Apr 7 at 17:16

|
show 2 more comments

Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

– Tom Gullen
Apr 5 at 13:53

2

Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

– Voo
Apr 5 at 14:11

@Voo, thank you. Added a disclaimer to answer

– Sergey Nudnov
Apr 5 at 14:27

@Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

– Voo
Apr 7 at 16:59

Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

– Sergey Nudnov
Apr 7 at 17:16

Thank you! This has fixed the issue for now. I'll be looking to update to V2 of Paypal's official SDK when it's released.

– Tom Gullen
Apr 5 at 13:53

Great idea. I mean it's well known that Paypal revokes certificates just for fun, so there's absolutely nothing that could go wrong by doing this. If there's really a benign reason why the cert was revoked it'd be nice to mention this. Otherwise this looks like an awful, awful idea. Assuming the certificate was leaked, you just enabled an attacker to MITM your payment infrastructure (and everything else that server ever does) - brilliant.

– Voo
Apr 5 at 14:11

@Voo, thank you. Added a disclaimer to answer

– Sergey Nudnov
Apr 5 at 14:27

@Sergey That disclaimer isn't really saying much. Are you aware that any server you apply this to literally gives the entity that got hold of the paypal certificate the ability to intercept and modify whatever communication that server does? (and it's dealing with payment information no less!) This is a completely irresponsible thing to do on any live system.

– Voo
Apr 7 at 16:59

Yes, I'm aware. Say, I have a private key for this certificate. Can I right now go ahead and intercept Tom's traffic? Maybe not so fast and not so easy. Your comments do provide more to people, which my disclaimer didn't. So we are covered well. If you have your own answer to question asked, you could post it - no problems

– Sergey Nudnov
Apr 7 at 17:16

|
show 2 more comments

This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).

You can test yourself at: https://decoder.link/ocsp

Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.

You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.

answered Apr 5 at 12:11

unNamed

2267

Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

– Tom Gullen
Apr 5 at 13:19

2

Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

– Sergey Nudnov
Apr 5 at 13:30

add a comment |

This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).

You can test yourself at: https://decoder.link/ocsp

Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.

You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.

answered Apr 5 at 12:11

unNamed

2267

Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

– Tom Gullen
Apr 5 at 13:19

2

Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

– Sergey Nudnov
Apr 5 at 13:30

add a comment |

This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).

You can test yourself at: https://decoder.link/ocsp

Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.

You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.

answered Apr 5 at 12:11

unNamed

2267

This is not an error. The certificate has been revoked by the certificate authority (digicert in this case).

You can test yourself at: https://decoder.link/ocsp

Somewhere in your SDK this certificate is used. Or it's presented to you by paypal. So either update your SDK or tell paypal to replace that certificate.

You could disable access to http://ocsp.digicert.com in your firewall to prevent the check of the CRL (certificate revocation list). But this is not a good idea.

answered Apr 5 at 12:11

unNamed

2267

answered Apr 5 at 12:11

unNamed

2267

answered Apr 5 at 12:11

unNamed

2267

answered Apr 5 at 12:11

unNamed

2267

Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

– Tom Gullen
Apr 5 at 13:19

2

Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

– Sergey Nudnov
Apr 5 at 13:30

add a comment |

Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

– Tom Gullen
Apr 5 at 13:19

2

Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

– Sergey Nudnov
Apr 5 at 13:30

Thanks, will update Paypal SDK to pre release candidate to see if that resolves the issue.

– Tom Gullen
Apr 5 at 13:19

Disabling access to http://ocsp.digicert.com won't help anyway. Certificate has been verified by X509Certificate2.Verify method. I tried to set all crl3.digicert.com, crl4.digicert.com, ocsp.digicert.com names to 127.0.0.1 in the hosts file - and it has been returning False. When I imported certificate into the Trusted People store - verification was passed and returned True even with unblocked digicert.com names I listed above

– Sergey Nudnov
Apr 5 at 13:30

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Server Fault!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Trjtdtk

2 Answers
2

Attention!

Your Answer

Post as a guest

2 Answers
2

2 Answers
2

Attention!

Attention!

Attention!

Attention!

Post as a guest

Popular posts from this blog

Luettelo Yhdysvaltain laivaston lentotukialuksista Lähteet | Navigointivalikko

Gary (muusikko) Sisällysluettelo Historia | Rockin' High | Lähteet | Aiheesta muualla | NavigointivalikkoInfobox OKTuomas "Gary" Keskinen Ancaran kitaristiksiProjekti Rockin' High

2 Answers 2

Attention!

Your Answer

Sign up or log in

Post as a guest

Post as a guest

2 Answers 2

2 Answers 2

Attention!

Attention!

Attention!

Attention!

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

Luettelo Yhdysvaltain laivaston lentotukialuksista Lähteet | Navigointivalikko

Gary (muusikko) Sisällysluettelo Historia | Rockin' High | Lähteet | Aiheesta muualla | NavigointivalikkoInfobox OKTuomas "Gary" Keskinen Ancaran kitaristiksiProjekti Rockin' High

2 Answers
2

2 Answers
2

2 Answers
2