Ssl – OCSP server suggests trying again later

ocspssl

I am using Firefox to access my site secured with a free StartSSL certificate. I am sending an HSTS header (though now for testing I have it set to 15 seconds!) and I have enabled OCSP stapling.

Yesterday and this morning StartSSL's OCSP responder was down, and I was (not surprisingly) getting sec_error_ocsp_try_server_later whenever I tried to visit my site.

Now, however, StartSSL has fixed their OCSP responder as far as I can tell, and my site works fine on other local computers (running Windows) with Firefox, but still does not work on my personal computer (running Linux).

If anyone has any insight on this would be nice; I'm not even sure if the issue is in my Firefox, Linux, or some server setting wrong yet.

Oh, and I am using Apache web server on Linux to serve the site.
And I might as well give you the link.

Best Answer

I got the same message when viewing the site on Firefox.

It seems that the problem occurs when checking the revocation status of the StartSSL Intermediate certificate that was used to sign your certificate. It looks like their OCSP responder at ocsp.startssl.com still isn’t correctly responding to requests.

I used the online SSL server test from Qualys SSL Labs to test your server. When checking the revocation status of StartCom Class 1 Primary Intermediate Server CA, it reports that

OCSP ERROR: Request failed with HTTP status: 500 [http://ocsp.startssl.com/ca]

I also used the OpenSSL s_client diagnostic tool to check your server’s response:

echo | openssl.exe s_client -connect www.grepper.net:443 -CAfile /usr/ssl/certs/ca-bundle.crt -status

The -status option

sends a certificate status request to the server (OCSP stapling). The server response (if any) is printed out.

In your case, the response was:

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: trylater (0x3)

BTW, congratulations on scoring the A in the SSL Labs test. It’s a shame that you configured everything correctly but were let down by external factors outside your control. I had been considering converting some personal sites to use HTTPS (and HSTS) with certificates from StartSSL but I wasn’t aware until now that there was such a critical reliance on the CA’s OCSP responder(s).

Related Solutions

Ssl – When are OCSP requests sent by web browsers

IE relies on CryptoAPI for performing any certificate revocation/status checking task, so chances are:

an SSL certificate was presented to the browser
this was validated using the chain of CDPs listed by that certificate, and any CA CDPs (CRL Distribution Points - URLs from which CRLs are available) in the chain of certificates that were issued
a valid version of the CRL for a certificate in its issuance chain wasn't cached locally

And so CryptoAPI's chaining engine decided it needed newer information on whether one of those certificates had been revoked recently or not.

Any given operation on a certificate might cause CRL retrieval or OCSP-based checking; Windows will cache the CRL response for its validity period (or an OCSP response as specified by its max-age HTTP header), which might explain why you see it once in a while, but not regularly/frequently.

To "walk the chain" of CDPs yourself, open the certificate and go to the Certification Path tab - this shows the hierarchy of CAs which produced the certificate. Open each one, and look at its Details tab - the CRL location(s) at each level are what the client needs to check and cache in order to fully trust the certificate (the issuing Root must be trusted by your machine for anything in the chain to work); if OCSP is enabled, the AIA extensions are signficant as well.

Alternatively, save out the cert to a .CER file, and run the always-hilarious

CERTUTIL -verify -urlfetch mycert.cer

command to see the chaining engine in action.

Ssl – IIS7 SSL Cert replaced, still sending old expired cert to browser

Did you bind the new SSL Cert to the website? After you've completed a certificate request, you need to go to Sites > Website > in the Action Pane you'll see "Bindings" and make sure to bind the new cert to https:// (aka SSL).

Here's a handy dandy guide: http://www.sslshopper.com/article-installing-an-ssl-certificate-in-windows-server-2008-iis-7.0.html (CTRL F + "Bind the Certificate to a website")

Best Answer

Related Solutions

Ssl – When are OCSP requests sent by web browsers

Ssl – IIS7 SSL Cert replaced, still sending old expired cert to browser

Related Topic