Same certificate not verified on one site but is on another
I have a wildcard SSL certificate used to secure a live and test site. With identical code the test site shows fine in Firefox (Windows Version 38.0.5) but the live site will not show and replaces the page with: "Secure Connection Failed
An error occurred during a connection to app.cognisess.com. Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem."
The security details show the certificate as "Verified by: Not specified" in the live site, while test site shows verified by GlobalSign nv-sa
Presumably if it's the same certificate, we shouldn't get an error in one place but not an other. Working fine with no errors on latest Chrome/IE, etc. I've verified there is no mixed-content on the page both manually and via whynopadlock.com.
Live site is https://app.cognisess.com and test site just replace app with testing.
Any ideas? I'd appreciate any help fixing this issue at our end if it's not a bug in the browser.
الحل المُختار
That looks like a problem with OCSP stapling that isn't working properly. The server should support OCSP stapling.
- https://www.ssllabs.com/ssltest/analyze.html?d=app.cognisess.com
- https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
It works if I disable OCSP stapling, but that is not recommended for normal usage.
Read this answer in context 👍 2All Replies (2)
الحل المُختار
That looks like a problem with OCSP stapling that isn't working properly. The server should support OCSP stapling.
- https://www.ssllabs.com/ssltest/analyze.html?d=app.cognisess.com
- https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
It works if I disable OCSP stapling, but that is not recommended for normal usage.
Thanks for pushing me in the right direction. I hadn't thought to check the server cipher set, but by using the set recommended by the IISCrypto tool from Nartac, and rebooted, our live site is working again.