New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Ended with turn off stapling on my nginx config
Edit: i run 2 vhost with stapling on both, turn off stapling on 1 host seems working. Not sure if this related.
@rokok: I've also disabled the OCSP stapling and websites are reachables with firefox again.
Anyway, now firefox is sending the OCSP request to WoSign by itself: I wonder why it doesn't also block the certificates.
It's because the certificates are good. I have tested mine, and it's ok, and not revoked.
Maybe the ocsp responder from Wosign is failing?
Duno, *maybe firefox try checking if the same cert use stapling used on multiple sites - this issue happened only if you have multiple vhost with all stapling enable - since i got another site running alone no problem using same nginx config.
@tdttester nginx (when OCSP stapling is enabled) and Firefox (when stapling is disabled on web server) are accessing the same OCSP responder from WoSign (ocsp6.wosign.com).
So in both cases we should receive the same "Verify error:certificate has expired" error.
I think that Firefox is also getting some problems with the OCSP responder, and is using CRL.
It's a strange issue.
Hello fellow WoSign SSL users,
I think I may have located the reason for this issue with Firefox. Firefox is using OCSP to check the SSL certificate status. The same sites that don't work in Firefox work in Chrome because Chrome is not checking the status via OCSP.
So I went ahead and wanted to verify that OCSP stapling was really working on my server with the WoSign SSL certificates.
I used the following three commands:
(Thanks to https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html)
The status is:
As per SSL Labs and SSLDecoder my certificates are not revoked however. So the server for OCSP verification by WoSign is replying with a 400 error "Bad Request".
My nginx error log:
So some certificate has expired somewhere in the chain.
I did a CRL check on Windows with "certutil" and WoSign's CRL reports that my SSL certificate is perfectly fine and not in their revoked list.
See: http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx
EDIT: It works now... I can access the site via Firefox again.
Last EDIT: Nevermind the above edit. Apparently I don't have OCSP stapling enabled now according to SSLLabs and SSLDecoder. I have it enabled on the server according to the Mozilla guide and I have my trusted chain there also. I tried a different chain but whatever. So now apparently I have disabled OCSP stapling.
Why does SSL have to be so shitty? So much fucking work for secure communication and one thing goes wrong that does not even affect the whole encryption and security the whole shit goes down and the site cannot be accessed.
On a test website, I don't have anymore "OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:certificate has expired) while requesting certificate status, responder: ocsp6.wosign.com" errors since 2015-11-15.
Not sure I want to reactivate OCSP stapling on my others websites due to crappy Firefox browser.
Just set your web server daemon to not send OCSP errors on OCSP timeout, and drop your OCPS timeout to something sensible, like 60 seconds.
Hello @Rallias and thanks for your answer.
I'm not sure how I could do that with nginx. Is it by setting "ssl_stapling_verify off;"?
As OCSP is working now, I can't try a solution.
Honestly, I'm not really sure. I've not really touched Nginx for the last half year.