Nightly started to dislike several certs after update, and let's not play naïve here: they're from StartCom. However one problem is that they still ought to work. Even more problem is that the dialog is criminally silent about the actual problem: Secure Connection Failed An error occurred during a connection to ugyfelkapu.tarr.hu. Peer’s Certificate has been Revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Learn more… Try Again 1) "Peer’s Certificate" - which one? The host cert, the intermediate or maybe the root? No CN, no serial. 2) It is not possible at that point to actually see what certificate (chain) have the site sent, since at that point the page (dialog) is considered not secure (no certs). 3) There is no information about the specific source of the revocation. Was it OCSP, and if yes, was it cached or retrieved from where? Or was it the super-secret no-information OneCRL*, and how and why and...? 4) "Learn more" link contains no information related, whatsoever; advanced info button doesn't exist, none of the referenced links are relevant (I have clicked them through). 5) Try again button is lovely. ;-) https://www.ssllabs.com/ssltest/analyze.html?d=ugyfelkapu.tarr.hu => Revocation status Good (not revoked) => Trusted Yes That's just an example, several sites observe the same problem. * as for OneCRL: several blog entries and wiki pages telling me how great it is, how groundbreaking it is, and since sliced bread is ... you got the point. But there is absolutely zero information was found by _extensive_ searching about: ** how to check a cert against OneCRL ** how to check the source and background of any OneCRL revocation (if I suspecting one) ** how to use it if I am not Mozilla, or if I am not supposed to, this fact being mentioned

(In reply to Peter Gervai from comment #0) > * as for OneCRL: several blog entries and wiki pages telling me how great it > is, how groundbreaking it is, and since sliced bread is ... you got the > point. But there is absolutely zero information was found by _extensive_ > searching about: > ** how to check a cert against OneCRL > ** how to check the source and background of any OneCRL revocation (if I > suspecting one) > ** how to use it if I am not Mozilla, or if I am not supposed to, this fact > being mentioned These issues are now at least partly fixed; here is: https://crt.sh/mozilla-onecrl which shows what's on it, and information about why. If you want to download it yourself, the URL is: https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records Gerv

Thanks Gerv. It would be prudent to type "onecrl" into google, and see whether any of the top results should be updated with this information. (The Wiki page on the top would be my first bet, I don't have an account and I won't unless I opena bug about its email misconfiguration :)).