3

I just renewed my certificate on https://wemarsh.com/ . After I thought I had everything working I did some online SSL tests, just as a routine check that everything is configured properly. Some of them passed with no problem, but one had some problems related to the OCSP. I don't want to give too many configuration specifics for obvious reasons, but I am running Apache and have a Comodo multi-domain certificate.

Here are some snippets of my virtualhost configuration:

...
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache "shmcb:/var/run/ocsp(128000)"
...

<VirtualHost 50.116.58.63:443>
...
  ServerName  www.wemarsh.com
  ServerAlias wemarsh.com

  SSLEngine on
  SSLCertificateFile PATH_TO_CERT.crt
  SSLCertificateKeyFile PATH_TO_CERT.key
  SSLCertificateChainFile PATH_TO_CERT.ca-bundle
...
</VirtualHost>

I ran https://www.ssllabs.com/ssltest . Under certification paths, it lists 2 paths. The first item on each has the following error:

OCSP ERROR: Request failed with OCSP status: 6
[http://ocsp.comodoca.com]

Under protocol details:

OCSP stapling   Yes

What is the problem here? How can I fix these errors in the report?

Thanks.

Eric Marsh
  • 171
  • 1
  • 5
  • 2
    You should have been warned that it would take a few hours for your certificate to be sent to the OCSP responder. Wait 24 hours from the time you renewed and try again. – Michael Hampton Oct 24 '15 at 17:25
  • Wow, I did check again this morning before writing this but I guess it had still not updated. I didn't realize it took so long. It does seem to work now. – Eric Marsh Oct 24 '15 at 17:43

1 Answers1

4

Thanks to the comment from Michael Hampton, I ran the ssllabs test again and it the problem is fixed. It turns out I didn't wait long enough for the certificate to be sent to the OCSP responder.

Michael says 24 hours is suggested. In reality, mine worked in sometime less than maybe 15 hours, in case that is useful info for anybody else.

Eric Marsh
  • 171
  • 1
  • 5