Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
My WoSign Free SSL certificate has been revoked suddenly?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

My WoSign Free SSL certificate has been revoked suddenly?

On this very forum (this thread) I found a link to where I could get a multi-domain certificate signed by WoSign for free, signed up for one and have used it on my site for months without issues.

Suddenly, recently it's now listed as 'revoked' (not expired; it's listed as valid until 2017). I've contacted WoSign to ask why this has happened, but I'm just wondering if it's happened to anyone else?

http://www.lowendtalk.com/discussion/41289/free-chinese-2-year-ssl-certificate-dv-kuaissl-by-wosign-com

Comments

  • Weird mine isn't revoked.

    Typical guy alexneo.net

    Peering AS135103

  • I am having a different problem...The android mobile default browser and maxthon...throws an unknown security certificate error

  • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

    @noaman said:
    I am having a different problem...The android mobile default browser and maxthon...throws an unknown security certificate error

    Is the Certificate Chain properly installed ?? I faced same problem in CM Browser when there is a Chain issue.

    AlphaSSL Revocation Issue is being investigated.

  • rm_rm_ Member

    Just checked mine, not revoked so far (Chinese cert till 8/2018).

  • I have several 3 and 1 year certs and none of them is revoked.

    Weird

    I'm on vacation in Belize.

  • What's the URL? You can use my site to check the full status of the certificate: https://ssldecoder.org/

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • MadMad Member, Provider

    Did you get any reply from them?
    Just to know what exactly happened.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Provider

    @Raymii said:
    What's the URL? You can use my site to check the full status of the certificate: https://ssldecoder.org/

    I sent you an Email once, but didn't get any reply. Probably, 2/3 Months ago !

    AlphaSSL Revocation Issue is being investigated.

  • @Raymii said:
    What's the URL? You can use my site to check the full status of the certificate: https://ssldecoder.org/

    Nice try ;)

    It just went down during the check with a Cloudflare 524 error :P. You better fix that if you want people to use your service.

    Qualys SSL Labs is another alternative to check the SSL setup + certificate status.

    I'm on vacation in Belize.

  • Mine's still valid till 2018.

  • @Hidden_Refuge said:
    It just went down during the check with a Cloudflare 524 error :P. You better fix that if you want people to use your service.

    Which url did you try to test?

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • NyrNyr Member

    Mine isn't revoked for now.

  • @Raymii said:

    My blog hiddenrefuge.eu.org

    I'm on vacation in Belize.

  • @Infinity580 said:
    Hidden_Refuge

    U wot m8?

    Thanked by 1netomx

    I'm on vacation in Belize.

  • @Hidden_Refuge

    Because of the "hidden".

    Thanked by 1netomx
  • It seems to work here: https://ssldecoder.org/results/saved.hiddenrefugeeuorg.1445588680.16fe84a8f5bf0d226a7d839cd139877f.html

    Cert is not revoked, and you do quite well with your settings, Public Key Pinning, OCSP stapling, Strict Transport Security.

    Well done.

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • Just thought I would mention that as of now, you can only get certs which covers a single-domain for one-year from WoSign. Ie: no more two/three-year certs with multiple domain

  • rm_rm_ Member
    edited October 2015

    Does not give a percentage or "grade" ranking => the Qualys one is better.

    Thanked by 14n0nx
  • teknolaizteknolaiz Member
    edited October 2015

    @Raymii said:
    It seems to work here: https://ssldecoder.org/results/saved.hiddenrefugeeuorg.1445588680.16fe84a8f5bf0d226a7d839cd139877f.html

    Cert is not revoked, and you do quite well with your settings, Public Key Pinning, OCSP stapling, Strict Transport Security.

    Well done.

    Hmm strange. I don't know why or what happened but when I issued the test on IPv4 domain port 443 the page loaded for a while and went down with a 524 CF error.

    Uhm. Yes, I've a strong setup I'd say. A+ on Qualys SSL Labs server test. HPKP, HSTS, OCSP stapling, strong ciphers, SHA256, TLSv1.1/1.2 only and etc..

    I have my vHost template on Github: https://github.com/hidden-refuge/nginx-conf/blob/master/vhost.conf

    I'm on vacation in Belize.

  • GM2015GM2015 Member
    edited October 2015

    Hope you don't mind me asking, is your template working with wordpress rewrite urls?

    I find that the template config I used from owncloud.org gives me 404-s for rewrites. Will test yours and find out regardless.

    Nginx conf.d www.conf work for me on http, but not on https.

    If any of you want a nice link(SEO), just scan your site with Remi's https://ssldecoder.org and https://www.ssllabs.com, then submit your ipv4 and ipv6 result to https://www.google.com/webmasters/tools/submit-url.

    Hidden_Refuge said: Hmm strange. I don't know why or what happened but when I issued the test on IPv4 domain port 443 the page loaded for a while and went down with a 524 CF error.

    Uhm. Yes, I've a strong setup I'd say. A+ on Qualys SSL Labs server test. HPKP, HSTS, OCSP stapling, strong ciphers, SHA256, TLSv1.1/1.2 only and etc..

    I have my vHost template on Github: https://github.com/hidden-refuge/nginx-conf/blob/master/vhost.conf

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • @GM2015 said:
    Hope you don't mind me asking, is your template working with wordpress rewrite urls?

    I find that the template config I used from owncloud.org gives me 404-s for rewrites. Will test yours and find out regardless.

    Nginx conf.d www.conf work for me on http, but not on https.

    Yes, Wordpress rewrite works with my configuration.

    Are you sure you setup everything properly? All path correct?

    I'm on vacation in Belize.

  • @GM2015 said:
    Hope you don't mind me asking, is your template working with wordpress rewrite urls?

    You're not talking about the SSL decoder right now are you? because that does no URL rewriting or nice URL's.

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • I asked Hidden_refugee about his config file on github whether it worked with wordpress ssl url rewrites because my config files are throwing 404s for https://mysite.com/some-nice-post, while http without ssl works on different servers.

    I used owncloud's config from https://doc.owncloud.org/server/8.0/admin_manual/installation/nginx_configuration.html and while it works for owncloud, it throws 404s for my development wordpress site on the same vhost, and on a different server I tried to implement it on yesterday.

    Raymii said: You're not talking about the SSL decoder right now are you? because that does no URL rewriting or nice URL's.

    Go give Vultr(referral) a try. | GNU/Linux http://debian.org

  • @GM2015

    Reply to my PM if you care/can.

    This code:

            location / {
                try_files $uri $uri/ /index.php?q=$uri&$args;
            }
    

    Is enough for Wordpress to make the permalinks/rewrite URLs work on Nginx. You might have to adjust the actual location. / is the root of the document root for the vHost. If you have your blog in a different folder adjust it to "location /foldername".

    I'm on vacation in Belize.

  • Dammit, anyone having "Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)" on firefox?

    CEO of PT. Rokok Kopi Internet Tidur Tbk.

  • Me too....

    I can browse this site with other browsers, but Firefox gets a " Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert) "

    Anyone know why is this?

    @rokok said:
    Dammit, anyone having "Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)" on firefox?

  • Firefox problem -_- this sucks

    CEO of PT. Rokok Kopi Internet Tidur Tbk.

  • tdttestertdttester Member
    edited November 2015

    I'm getting this error on Nginx server:

    OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:certificate has expired) while requesting certificate status, responder: ocsp6.wosign.com

  • rokokrokok Member
    edited November 2015

    Ended with turn off stapling on my nginx config

    Edit: i run 2 vhost with stapling on both, turn off stapling on 1 host seems working. Not sure if this related.

    Thanked by 1Alt

    CEO of PT. Rokok Kopi Internet Tidur Tbk.

  • AltAlt Member
    edited November 2015

    @rokok: I've also disabled the OCSP stapling and websites are reachables with firefox again.
    Anyway, now firefox is sending the OCSP request to WoSign by itself: I wonder why it doesn't also block the certificates.

  • @Alt said:
    rokok: I've also disabled the OCSP stapling and websites are reachables with firefox again.
    Anyway, now firefox is sending the OCSP request to WoSign by itself: I wonder why it doesn't also block the certificates.

    It's because the certificates are good. I have tested mine, and it's ok, and not revoked.
    Maybe the ocsp responder from Wosign is failing?

  • Duno, *maybe firefox try checking if the same cert use stapling used on multiple sites - this issue happened only if you have multiple vhost with all stapling enable - since i got another site running alone no problem using same nginx config.

    CEO of PT. Rokok Kopi Internet Tidur Tbk.

  • @tdttester nginx (when OCSP stapling is enabled) and Firefox (when stapling is disabled on web server) are accessing the same OCSP responder from WoSign (ocsp6.wosign.com).
    So in both cases we should receive the same "Verify error:certificate has expired" error.

  • @Alt said:
    tdttester nginx (when OCSP stapling is enabled) and Firefox (when stapling is disabled on web server) are accessing the same OCSP responder from WoSign (ocsp6.wosign.com).
    So in both cases we should receive the same "Verify error:certificate has expired" error.

    I think that Firefox is also getting some problems with the OCSP responder, and is using CRL.
    It's a strange issue.

  • teknolaizteknolaiz Member
    edited November 2015

    Hello fellow WoSign SSL users,

    I think I may have located the reason for this issue with Firefox. Firefox is using OCSP to check the SSL certificate status. The same sites that don't work in Firefox work in Chrome because Chrome is not checking the status via OCSP.

    So I went ahead and wanted to verify that OCSP stapling was really working on my server with the WoSign SSL certificates.

    I used the following three commands:

    openssl s_client -connect mydomain.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > mydomain.pem
    openssl s_client -connect mydomain.com:443 -showcerts /dev/null > chain.pembundle
    openssl ocsp -issuer chain.pembundle -cert mydomain.pem -url $(openssl x509 -noout -ocsp_uri -in mydomain.pem)
    

    (Thanks to https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html)

    The status is:

    Error querying OCSP responder
    140325974177424:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=400,Reason=Bad Request
    

    As per SSL Labs and SSLDecoder my certificates are not revoked however. So the server for OCSP verification by WoSign is replying with a 400 error "Bad Request".

    My nginx error log:

    OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:certificate has expired) while requesting certificate status, responder: ocsp6.wosign.com

    So some certificate has expired somewhere in the chain.

    I did a CRL check on Windows with "certutil" and WoSign's CRL reports that my SSL certificate is perfectly fine and not in their revoked list.

    See: http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx

    EDIT: It works now... I can access the site via Firefox again.

    Last EDIT: Nevermind the above edit. Apparently I don't have OCSP stapling enabled now according to SSLLabs and SSLDecoder. I have it enabled on the server according to the Mozilla guide and I have my trusted chain there also. I tried a different chain but whatever. So now apparently I have disabled OCSP stapling.

    Why does SSL have to be so shitty? So much fucking work for secure communication and one thing goes wrong that does not even affect the whole encryption and security the whole shit goes down and the site cannot be accessed.

    I'm on vacation in Belize.

  • On a test website, I don't have anymore "OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:certificate has expired) while requesting certificate status, responder: ocsp6.wosign.com" errors since 2015-11-15.

    Not sure I want to reactivate OCSP stapling on my others websites due to crappy Firefox browser.

  • RalliasRallias Member, Provider

    Alt said: Not sure I want to reactivate OCSP stapling on my others websites due to crappy Firefox browser.

    Just set your web server daemon to not send OCSP errors on OCSP timeout, and drop your OCPS timeout to something sensible, like 60 seconds.

    Thanked by 1Alt
  • Hello @Rallias and thanks for your answer.
    I'm not sure how I could do that with nginx. Is it by setting "ssl_stapling_verify off;"?
    As OCSP is working now, I can't try a solution.

  • RalliasRallias Member, Provider

    Alt said: Is it by setting "ssl_stapling_verify off;"? As OCSP is working now, I can't try a solution.

    Honestly, I'm not really sure. I've not really touched Nginx for the last half year.

Sign In or Register to comment.