sec_error_oscp_unknown_cert

All SSL access to hosted websites is currently broken using Firefox and Safari. The problem is that OCSP lookups are failing due to a misconfiguration by StartSSL, the certificate authority providing our SSL certificates. Other browsers are not affected because they have not implemented OSCP lookups. A temporary work-around is to disable the checks. In Firefox:

  1. Enter about:config into the Firefox address bar
  2. Accept the warning
  3. Search for security.ssl.enable_ocsp_stapling
  4. Double-click to change to false

StartSSL does not seem to have any blog or social media presence to indicate status on the outage, but a Twitter search yields a steady stream of corroborations. Hopefully they’ll fix it soon.

UPDATE 2015-04-05 11:45 pm: OCSP is working properly again as of a couple hours ago. Outage/technical problems on StartSSL’s part.

UPDATE 2016-11-26: OCSP responses have had bad signatures for the past two days. I believe this is once again an issue on the StartSSL side. Can be worked around the same way.

www.nerdylorrin.net, mail.nerdylorrin.net, and webdav.nerdylorrin.net have freshly minted certificates signed by the StartSSL Certificate Authority.