On 1 April 2015 at 13:19, Stephen Farrell <[email protected]> wrote: > > And in a happy ending for this thread, when I whacked in > the new cert today it all worked. > > Interestingly, there was a point where it was fine in all > but one browser - that lasted an hour or so before they > were all ok, not quite sure why, but there's clearly more > going on with ocsp caching than I know about;-)
Are you sure it wasn't the intermediate problem you were originally investigating? > > S. > > > On 31/03/15 16:11, Stephen Farrell wrote: >> >> So today I was updating a web server cert as I do a few >> times a year. And I have a usability story to tell... >> >> I got the new cert and installed it in apache without any >> Cullen-like problems:-) That cost me €0.00 in payment and >> about 5-10 minutes. All good so far. >> >> Chrome was happy, but FF/opera/my phone weren't. >> >> I then messed about for 30 minutes checking to see if >> a new intermediate cert was needed etc. (i.e. I was back >> to Cullen-mode:-) >> >> Turns out after a bit of searching, I'd installed the new >> cert too soon, and when I tested it, a "dunno" OCSP >> response was sent before the responder had seen the new >> cert and that OCSP response has now been cached for some >> unknowable (to me) number of hours in who-knows-what >> places. And that caching behaviour has changed since the >> last time I got a cert from the same provider a few months >> ago. So I reverted my apache to the old cert and will >> try install the new cert again tomorrow. >> >> That's exactly that kind of thing I'd love to see fixed >> with acme and that is not handled by CMP, CMC, PKCS#10, >> EST or SCEP. At least I don't believe there's a standard >> way of getting the right thing to happen with those >> without some proprietary extension/surroundings. >> >> And one big reason CMP etc don't support that is that we >> didn't have that requirement when we had the big fight >> that lead to CRMF back nearly 20 years ago. (Since OCSP >> didn't exist then and we didn't know how folks would be >> updating web servers, and we're much more intolerant of >> Cullen-like messing about being needed these days, and >> rightly so.) >> >> I would like acme defined so that when I get the cert >> back all the PKI stuff has happened already and is >> working. I'm sure some other semantics could also work >> out, (e.g. if acme had a "ready-yet?" query I could >> emit after getting the cert), but those are the kind >> of problems we're currently facing that are killers and >> that we can address, now that we know the deployment >> requirements much better than we did in 1996. >> >> I hope this helps those who are worried that acme is >> only about business models. In my head what acme ought >> be about is getting rid of that 1 hour of silly sysadmin >> time I just spent - the system-automated web server s/w >> update should just have done all of this for me without >> me even having to know a new cert was needed until I >> get the system update email tomorrow. >> >> Cheers, >> S. >> >> PS: Apologies, Cullen but it's your own fault:-) >> >> _______________________________________________ >> Acme mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/acme >> > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
