On 2006-11-28 at 08:08 +0000, Robert Rothenberg wrote:
> There's no option to ignore the error and use it anyway, but then again,
> it's nothing to do with the server.   This is Thunderbird's coy way of
> telling you that there are some expired certificates that should be removed.

Related hate -- Firefox's certificate caching.

You click on a .crt, it offers to install the .crt.  Sounds simple,
right?  Except that it manages to cache that .crt somewhere and never
bothers to check back with the server to see if the cert there is newer.
No If-Modified-Since, nothing.

If you've changed the CA cert on the webserver, you need to delete the
cert in Firefox, blank disk and memory caches, AND shut down the browser
(all running instances); only then can you start a new browser and have
it actually get the file on the server when you click on a .crt.

This was how I got introduced to the serial-number-reuse complaint a
year or so ago -- "But I've deleted the old one and installed the new
one, you stupid PoS!  See?  Oh, wait, WTF is that the old expiry date",
followed by discovering the above broken caching behaviour.

-Phil

Reply via email to