[Mod_nss-list] OCSP errors

Kim, Ernest ekim at mitre.org
Thu Aug 20 14:07:16 UTC 2009 

>-----Original Message-----
>From: Rob Crittenden [mailto:rcritten at redhat.com]
>Sent: Wednesday, August 19, 2009 5:13 PM
>To: Kim, Ernest
>Cc: mod_nss-list at redhat.com
>Subject: Re: [Mod_nss-list] OCSP errors
>
>Kim, Ernest wrote:
>> Hi all. I was wondering if someone could help me out. I'm trying to
>use
>> mod_nss with OCSP enabled. I get the following error messages when I
>do:
>>
>>
>>
>> [Wed Aug 19 15:09:40 2009] [error] Certificate not verified:
>'RapidSSL'
>>
>> [Wed Aug 19 15:09:40 2009] [error] SSL Library Error: -8068 The OCSP
>> server has refused this request as unauthorized
>>
>> [Wed Aug 19 15:09:40 2009] [error] Unable to verify certificate
>> 'RapidSSL'. Add "NSSEnforceValidCerts off" to nss.conf so the server
>can
>> start until the problem can be resolved.
>>
>>
>>
>> I have a SSL certificate for the server issued from RapidSSL. When I
>do
>> a certutil -V on the certificate, it says the certificate is valid.
>From
>> the looks of the error message, the RapidSSL certificate is being sent
>> to the OCSP server. Is this what is happening? If so, is there a way I
>> can have this not happen? Thanks. Here is a copy of my nss.conf file:
>

Hi Rob, thanks for your reply.

>The server is validating its own server certificate at startup and that
>request is failing so the server is refusing to start.

I don't understand why this is. With OCSP turned off, I can start my server
using the same RapidSSL certificate for https without having to use the .
Furthermore when I do a certutil -V on my RapidSSL certificate, it responds
saying that the certificate is valid. Here are the results of my certutil -L
-d...

Server-Cert                                                  u,u,u
Equifax-CA                                                   CT,C,C
alpha                                                        u,pu,u
RapidSSL-CA                                                  CT,C,C
RapidSSL                                                     u,u,u
cacert                                                       CTu,Cu,Cu
ocsp-responder                                               CT,C,C

certutil -V -n RapidSSL -u V comes up with this:

certutil -V -n RapidSSL -u V -d /etc/httpd/alias/
certutil: certificate is valid

>You need to trust the certificate that is signing the OCSP response. I
>didn't see that after a quick look on the RapidSSL site, maybe their
>support can point you to it.

I do trust the certificate, It's the certificate with the nickname
ocsp-responder.  It's issued by the DoD.

I appreciate any help you can give me on this. Thanks.

-Ernie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3497 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20090820/cdca9945/attachment.bin>

More information about the Mod_nss-list mailing list