20161013 - Resolved - "There’s a problem with this website’s security certificate" errors

We are currently receiving reports of "There’s a problem with this website’s security certificate" when trying to access many of our web sites

Updates to follow as more information becomes available.


Updates:

  • 2016/10/13 11:00 PM CT: This problem appears to be due an issue with OSCP at GlobalSign. They have suggested trying to clear your OSCP/CRL cache using the following instructions:View and/or Delete CRL, OCSP Cache. GlobalSign is posting updates on this issue to their GlobalSign (@globalsign) | Twitter
  • 2016/10/13 11:50 PM CT: We just received the following from GlobalSign:
    • Dear Valued GlobalSign Customer,

      As most of you are aware, we are experiencing an internal process issue (details below) that is impacting your business. While we have identified the root-cause, we deeply apologize for the problems this is causing you and wanted to ensure you that we are actively resolving the issue.

      GlobalSign manages several root certificates and for compatibility and browser ubiquity reasons provides several cross-certificates between those roots to maximize the effectiveness across a variety of platforms. As part of a planned exercise to remove some of those links, a cross-certificate linking two roots together was revoked. CRL responses had been operational for 1 week, however an unexpected consequence of providing OCSP responses became apparent this morning, in that some browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case.

      GlobalSign has since removed the cross-certificate from the OCSP database and cleared all caches. However, the global nature of CDNs and effectiveness of caching continued to push some of those responses out as far as end users. End users cannot always easily clear their caches, either through lack of knowledge or lack of permission. New users (visitors) are not affected as they will now receive good responses.

      The problem will correct itself in 4 days as the cached responses expire, which we know is not ideal. However, in the meantime, GlobalSign will be providing an alternative issuing CA for customers to use instead, issued by a different root which was not affected by the cross that was revoked, but offering the same ubiquity and does not require to reissue the certificate itself.

      We are currently working on the detailed instructions to help you resolve the issue and will communicate those instruction to you shortly.

      Thank you for your patience.

      Lila Kee
      Chief Product Officer
      GMO GlobalSign

  • 2016/10/13 14:00 PM CT: We just received the following from GlobalSign:
    • Dear Valued GlobalSign Customer,

      In follow up to our earlier email communication describing the issue you are experiencing with your GlobalSign certificates, our engineering and support staff have put together a troubleshooting guide that will help you resolve the certificate revocation error. We will continue to update this troubleshooting guide as new updates are added.

      OCSP Revocation errors - troubleshooting guide: https://support.globalsign.com/customer/portal/articles/2599710-ocsp-rev...

      If you continue to have issues, we welcome you to open a support ticket here: https://support.globalsign.com/customer/portal/emails/new

      Thank you as we continue to work to resolve this issue. We will communicate additional updates with you.

      Lila Kee
      Chief Product Officer
      GMO GlobalSign

  • 2016/10/13 20:15 PM CT: GlobalSign has just released a new AlphaSSL CA - SHA256 - G2 intermediate certificate. We are now in the process of deploying this intermediate certificate to the affected systems.
  • 2016/10/17 15:30 PM CT: At this time, both the orginal GlobalSign intermediate certificate and the newly issued GlobalSign intermediate certificates are working as expected. This issue shoudl now be resolved.

We appreciate your patience during this work and welcome any feedback. Thank you for being a ETRN customer. Please contact us if you have any questions.

We Answer Your Questions: FAQ

Q: What is the maximum e-mail attachment size?

A: The ETRN.com e-mail servers do not limit the size of individual e-mail attachments. The ETRN.com e-mail servers do impose a 400 MB maximum total message size limit. Individual customers can choose a smaller message size limit. We can also customize the handling of "over-sized" e-mails. Please contact us to discuss your specific needs. A couple of important facts:

1. Attachments are typically encoded in what is called Base64[1]. As a result, the actual length of MIME-compliant Base64-encoded binary data is usually about 137% of the original file size.

2. E-mails often contain both plain text and HTML components. This also increases the overall size of the e-mail.