This content has been marked as final. Show 71 replies
Use Chrome, Firefox & IE occasionally
I get this error message every time I boot my computer before any user activity. As a non-technical user I have absolutely no idea what to do. My Java is up to date, but not automatically - I resnet arrogant behaviour by pieces of code, especially when I am trying to use the computer as a tool :-)
Any updates to this issue that has plagued millions of computers since March of 2012?
Apparently not, the bug is still open. Now you can assume at least two things:
- Oracle is evil, they don't care, bla bla bla
- Its actually not as easy as you want it to be to solve this
Its a personal choice, but if you are inclined to go down a negative route you may want to ask yourself what you're still doing here. Other huge multinationals handle this stuff soooo much better and faster, better go use their free tech.
Well, Java 7 update 7 came out in the last day or so to close a gaping security hole that Oracle knew about for months, depending upon who you believe. At least they didn't wait until their scheduled drop date of October.
Here's to hoping it's fixed...
Thanks for the heads up! No need to hope, just check the release notes:
For those of you still getting the error message: "Revocation information for the security certificate for this site is not available. Do you want to proceed?" whenever the java updater runs, I managed to get it fixed on my system. Obviously I didn't want to turn off revocation verification in my browser or in the Java settings (This is a bad idea, all the people saying to do this all around the web are morons). I tried installing the javadl-esd.secure.oracle.com certificate, but it still wasn't working. The revocation information was all there, but when I viewed the certificate, IE/Windows was still saying it did not have enough information to verify the certificate.
However, if you simply open IE, put this URL into the location bar: http://crt.usertrust.com/USERTrustLegacySecureServerCA.crt and install the certificate (Let it pick the store automatically, it will properly install it as an intermediate certificate, which it is), Windows is able to verify the javadl-esd.secure.oracle.com certificate as it now has its issuer's certificate (USERTrust Legacy Secure Server CA) and can link the certificate all the way back to the Ensign root CA.
The updater will no longer nag you every time it runs.
I've had a quick glance through and no-one seems to have noticed this yet. The issue is that the site usertrust.com is not listed on any DNS servers. I've performed an nslookup using my ISP and googles public DNS servers and neither one have a listing. As a result the crl distribution point cannot be contacted and as such the error occurs.
The issue is ...No it isn't. There is nothing in this thread that requires access to usertrust.com. The site required is crt.usertrust.com, which is indeed accessible. Click the last link above your post for example.
sorry that was a typo on my part should have read crl.usertrust.com, I'm not entirely sure where you guys are getting the crt.usertrust.com from though I see that does resolve. When I looked at the certificate that was presented on my system that 3rd character was definitely an L not a T perhaps this is the issue then? the certificate has an incorrect character on that line?
It's not an incorrect character in the certificate. The URL in the certificate is pointing to the revocation list for that certificate's issuing authority. The crt address is pointing you to their certificate server so that you can download the certificate with which the java download server's certificate is signed. Two different, but in this case related, things.
When Windows processes an SSL certificate, what happens is that it checks to see if the signature on the certificate matches its issuer's key, and then checks the issuer's certificate, on up to the root authority in the certificate chain (And if that root isn't in your trusted roots list, it's considered invalid). But Windows (And any other sane SSL implementation) then checks the revocation list for that issuer, to see if the issuer has revoked that certificate. If a certificate becomes compromised, it is revoked before its expiration so that no one can use it to fraudulently get your computer to trust them. This is done by placing the certificate on the revocation list (The crl in that URL is essentially an abbreviation of Certificate Revocation List).
So what the system is telling you is that it can't tell whether or not the certificate has been revoked. The thing is, that revocation list is accessible (At least, I can reach it), but for some reason, although the certificate for the issuer "USER Trust Legacy Secure CA" (CA stands for Certificate Authority btw) is valid and signed by Entrust, it's not being retrieved properly. That means that Windows can't verify the validity of the revocation list because it can't verify the certificate and... Well, the point is, if you install that certificate, Windows can now find it, check that it's signed by Entrust (Which is on the default Windows trusted root authorities list), that it hasn't been revoked by Entrust (It hasn't), and can then process the certificate for the java download server properly.
Everything works, and you haven't horribly compromised your system by turning off revocation checks. Because that could conceivably leave you vulnerable to asshats using old diginotar--a former root authority that has been blacklisted by everyone for very, very good reasons--certificates and such.
Today I experienced the same problem. On my machine is Win 7 64 bit with JRE 6u37. I didn't have this problem with version JRE 6u31 or any previous version, actually I see this problem for the first time. Message appeared after booting Windows. As I see this problem is older than half a year and real solution is not found. Is problem caused on UserTrust side or on Oracle side with JRE?
It seems to me that the real solution was implemented by Oracle in August as posted above.