xojo.com OCSP Error

Tomas_J · November 6, 2018, 12:04pm

xojo.com cert revocation expired today and shows an error (not thrustworthy) in Safari on both Safari iOS and MacOS.
(Screenshot #1)

Cross-checked this with SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=xojo.com
(Screenshot #2)

Somebody should check the server cert.

Greg_O_Lone · November 6, 2018, 12:17pm

I just checked. That certificate expires January 14th 2020.

Greg_O_Lone · November 6, 2018, 12:22pm

The problem is that you are testing xojo.com as opposed to www.xojo.com (which xojo.com automatically redirects to). If you send www.xojo.com to ssllabs, you’ll see that the OCSP failure disappears.

Tomas_J · November 6, 2018, 12:35pm

Hi Greg, thank you for your rapid answer. Interestingly my macOS Safari now works on both xojo.com and your redirection to www. (who is still using www? I am always typing xojo.com) but my iPad still doesnt work and SSL Labs now showing this:

Screenshot

Of course the cert is valid till January 14th, I am talking about OCSP. Something strange is going on there…

AlbertoD · November 6, 2018, 1:24pm

Hello Tomas, I was able to see the original error on sslabs page, then I hit “clear cache” and then that page was not able to get the test done (getting the new screenshot you posted).

Now it is working.

I did a test with www.xojo.com and it was everything ok until I hit “clear cache”, now both have the same error reporting:

[quote]Revocation status Good (not revoked)
OCSP ERROR: OCSP response expired on Tue Nov 06 09:05:23 UTC 2018[/quote]

Edit: got an error, clear cache again and it looks fine now (both but the test isn’t finished yet)
Edit: Test duration 287.252 seconds for www.xojo.com, xojo.com isn’t finished yet
Edit: Got “unexpected failure” for xojo.com test, trying again

AlbertoD · November 6, 2018, 1:33pm

Opening www.xojo.com or xojo.com in a private browser window is taking much longer than usual.

Edit: just finished the test again for xojo.com and no more OCSP error. And opening the webpage is normal again.

John_A_Knight_Jr · November 6, 2018, 10:14pm

I recently moved to a Let’s Encrypt wildcard certificate and ran into this.
What isn’t obvious, is that a wildcard (*.xojo.com) certificate does NOT cover the base domain (xojo.com).
It is possible to add the base domain to the wildcard certificate as an Alternative name. then a single certificate will work for the entire domain.

AlbertoD · November 6, 2018, 10:22pm

Ssllabs report this:

Common names *.xojo.com Alternative names *.xojo.com xojo.com
I think they are covered.

Tomas_J · November 6, 2018, 10:28pm

yep they are covered. After couple of hours everyting works normally. I assume the cert authority or OCSP Responder have had an error and could not verify my browsers’ request. So Safari stopped serving the website.