[Mod_nss-list] OCSP errors
Rob Crittenden
rcritten at redhat.com
Wed Aug 19 21:13:10 UTC 2009
Kim, Ernest wrote:
> Hi all. I was wondering if someone could help me out. I’m trying to use
> mod_nss with OCSP enabled. I get the following error messages when I do:
>
>
>
> [Wed Aug 19 15:09:40 2009] [error] Certificate not verified: 'RapidSSL'
>
> [Wed Aug 19 15:09:40 2009] [error] SSL Library Error: -8068 The OCSP
> server has refused this request as unauthorized
>
> [Wed Aug 19 15:09:40 2009] [error] Unable to verify certificate
> 'RapidSSL'. Add "NSSEnforceValidCerts off" to nss.conf so the server can
> start until the problem can be resolved.
>
>
>
> I have a SSL certificate for the server issued from RapidSSL. When I do
> a certutil –V on the certificate, it says the certificate is valid. From
> the looks of the error message, the RapidSSL certificate is being sent
> to the OCSP server. Is this what is happening? If so, is there a way I
> can have this not happen? Thanks. Here is a copy of my nss.conf file:
The server is validating its own server certificate at startup and that
request is failing so the server is refusing to start.
You need to trust the certificate that is signing the OCSP response. I
didn't see that after a quick look on the RapidSSL site, maybe their
support can point you to it.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20090819/4d990518/attachment.bin>
More information about the Mod_nss-list
mailing list