(Resolved) StartSSL OCSP Server Issues

Update: StartSSL’s OCSP responders appear to be up and running again, and are returning correct results.  This issue has been resolved.  If you disabled OCSP in your browser/software, it is safe (and recommended) for you to re-enable it now.

StartSSL, the company/Certification Authority I use to provide the security certificates for LizardNet (and LizardNet-hosted) sites and services, is currently performing some kind of maintenance or service upgrades.  Unfortunately, for whatever reason, this has interrupted their OCSP services, and as such any browser or program that does OCSP validation will report an error when attempting to establish a secure connection.  Firefox is known to be having issues because of this, presenting an error that looks like this:

An error occurred during a connection to domain.name. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)

If your web browser gives you this message or a similar one, you can safely ignore the message and instruct your browser to continue to the site anyway.  The process to do this varies based on the browser, and I describe the process for the three most common browsers (Google Chrome, Mozilla Firefox, and Internet Explorer) at the end of this post.  If you’re having trouble establishing a secure connection in software that does not present security errors, for example the Thunderbird email client, you will need to (temporarily) disable OCSP checking entirely (see here for instructions to disable OCSP checking in Thunderbird).

As of this writing, StartSSL estimates that their services will be available again on Tuesday 22 December 2015 at 06:00 UTC.  Only time will tell if they’ll actually have things working again by then.


Bypassing certificate errors:

Google Chrome:

  • On the certificate error page, click the small “Advanced” link to the left of the “Back To Safety” button
  • Click the “Proceed to domain.name (unsafe)” link that appears

Mozilla Firefox:

  • On the certificate error page, click the “I Understand the Risks” link
  • Click the “Add Exception…” button
  • Uncheck “Permanently store this exception” if it is checked
  • Click the “Confirm Security Exception” button to proceed

Internet Explorer:

  • On the certificate error page, simply click the “Continue to this website (not recommended)” link.
(Resolved) StartSSL OCSP Server Issues

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s