Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


My WoSign Free SSL certificate has been revoked suddenly? - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

My WoSign Free SSL certificate has been revoked suddenly?

2»

Comments

  • rokokrokok Member
    edited November 2015

    Ended with turn off stapling on my nginx config

    Edit: i run 2 vhost with stapling on both, turn off stapling on 1 host seems working. Not sure if this related.

    Thanked by 1Alt
  • AltAlt Member
    edited November 2015

    @rokok: I've also disabled the OCSP stapling and websites are reachables with firefox again.
    Anyway, now firefox is sending the OCSP request to WoSign by itself: I wonder why it doesn't also block the certificates.

  • @Alt said:
    rokok: I've also disabled the OCSP stapling and websites are reachables with firefox again.
    Anyway, now firefox is sending the OCSP request to WoSign by itself: I wonder why it doesn't also block the certificates.

    It's because the certificates are good. I have tested mine, and it's ok, and not revoked.
    Maybe the ocsp responder from Wosign is failing?

  • Duno, *maybe firefox try checking if the same cert use stapling used on multiple sites - this issue happened only if you have multiple vhost with all stapling enable - since i got another site running alone no problem using same nginx config.

  • @tdttester nginx (when OCSP stapling is enabled) and Firefox (when stapling is disabled on web server) are accessing the same OCSP responder from WoSign (ocsp6.wosign.com).
    So in both cases we should receive the same "Verify error:certificate has expired" error.

  • @Alt said:
    tdttester nginx (when OCSP stapling is enabled) and Firefox (when stapling is disabled on web server) are accessing the same OCSP responder from WoSign (ocsp6.wosign.com).
    So in both cases we should receive the same "Verify error:certificate has expired" error.

    I think that Firefox is also getting some problems with the OCSP responder, and is using CRL.
    It's a strange issue.

  • teknolaizteknolaiz Member
    edited November 2015

    Hello fellow WoSign SSL users,

    I think I may have located the reason for this issue with Firefox. Firefox is using OCSP to check the SSL certificate status. The same sites that don't work in Firefox work in Chrome because Chrome is not checking the status via OCSP.

    So I went ahead and wanted to verify that OCSP stapling was really working on my server with the WoSign SSL certificates.

    I used the following three commands:

    openssl s_client -connect mydomain.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > mydomain.pem
    openssl s_client -connect mydomain.com:443 -showcerts /dev/null > chain.pembundle
    openssl ocsp -issuer chain.pembundle -cert mydomain.pem -url $(openssl x509 -noout -ocsp_uri -in mydomain.pem)
    

    (Thanks to https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html)

    The status is:

    Error querying OCSP responder
    140325974177424:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=400,Reason=Bad Request
    

    As per SSL Labs and SSLDecoder my certificates are not revoked however. So the server for OCSP verification by WoSign is replying with a 400 error "Bad Request".

    My nginx error log:

    OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:certificate has expired) while requesting certificate status, responder: ocsp6.wosign.com

    So some certificate has expired somewhere in the chain.

    I did a CRL check on Windows with "certutil" and WoSign's CRL reports that my SSL certificate is perfectly fine and not in their revoked list.

    See: http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx

    EDIT: It works now... I can access the site via Firefox again.

    Last EDIT: Nevermind the above edit. Apparently I don't have OCSP stapling enabled now according to SSLLabs and SSLDecoder. I have it enabled on the server according to the Mozilla guide and I have my trusted chain there also. I tried a different chain but whatever. So now apparently I have disabled OCSP stapling.

    Why does SSL have to be so shitty? So much fucking work for secure communication and one thing goes wrong that does not even affect the whole encryption and security the whole shit goes down and the site cannot be accessed.

  • On a test website, I don't have anymore "OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:certificate has expired) while requesting certificate status, responder: ocsp6.wosign.com" errors since 2015-11-15.

    Not sure I want to reactivate OCSP stapling on my others websites due to crappy Firefox browser.

  • Alt said: Not sure I want to reactivate OCSP stapling on my others websites due to crappy Firefox browser.

    Just set your web server daemon to not send OCSP errors on OCSP timeout, and drop your OCPS timeout to something sensible, like 60 seconds.

    Thanked by 1Alt
  • Hello @Rallias and thanks for your answer.
    I'm not sure how I could do that with nginx. Is it by setting "ssl_stapling_verify off;"?
    As OCSP is working now, I can't try a solution.

  • Alt said: Is it by setting "ssl_stapling_verify off;"? As OCSP is working now, I can't try a solution.

    Honestly, I'm not really sure. I've not really touched Nginx for the last half year.

Sign In or Register to comment.