View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001179Main CAcert Websitecertificate issuingpublic2013-05-17 08:092013-05-21 22:08
Reporterdavidnorthcraft Assigned ToINOPIAE  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionno change required 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Summary0001179: CRL location is incorrect in the server certificate
DescriptionThe following issue was entered in the infrastructure project as 0001178:

Hello, I am using one of your free certificates for my domain and am trying to setup VPN into my server. I get an error when connecting stating "The revocation function was unable to check revocation because the revocation server was offline." In checking the address of your CRL from your site it is - https://crl.cacert.org/revoke.crl
However in looking at the CAcert server certificate CRL Distribution points the address shows as https://www.cacert.org/revoke.crl
It appears that the "www" in the address of the certificate is NOT in the CRL address posted on your website. I believe this is what is causing my error and not allowing me to VPN into my server.

Plesae help?? Thank you, David
Steps To ReproduceTry to connect to my VPN happens every time.
TagsNo tags attached.
Attached Files
Cert location error.PNG (26,400 bytes)   
Cert location error.PNG (26,400 bytes)   
Reviewed by
Test Instructions

Relationships

has duplicate 0001178 closedjandd Infrastructure CRL location is incorrect in the server certificate 

Activities

jandd

2013-05-17 08:13

administrator   ~0004008

changed to original reporter

INOPIAE

2013-05-18 07:33

updater   ~0004009

note from critical admins in OTRS (s20130517.5)

We do not recommend to use https to retrieve the CRL -- it is possible,
but unnecessary, since the CRL is signed itself. But in any case, both
URLs mentioned above are valid. The www one will automatically redirect
to the crl one, since we want to offload the extremely heavy CRL traffic
from our webserver.

Also note that certificates issued by us have:

  X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl

in them. It's only the root certificate (created and issued in 2003) which
still has

  X509v3 CRL Distribution Points:URI:https://www.cacert.org/revoke.crl

but as I said, ths address will automatically redirect to the crl.cacert.org
server. And one more note: please use OCSP rather than the CRL whenever
possible, it is much more efficient. Problems with retrieving the CRLs from
time to time are likely caused by an overload of the current firewall

INOPIAE

2013-05-21 22:08

updater   ~0004020

There is no change needed as there is a redirect from https://www.cacert.org/revoke.crl to https://crl.cacert.org/revoke.crl [^]

Issue History

Date Modified Username Field Change
2013-05-17 08:09 jandd New Issue
2013-05-17 08:10 jandd Relationship added duplicate of 0001178
2013-05-17 08:10 jandd Relationship replaced has duplicate 0001178
2013-05-17 08:12 jandd File Added: Cert location error.PNG
2013-05-17 08:13 jandd Note Added: 0004008
2013-05-17 08:13 jandd Reporter jandd => davidnorthcraft
2013-05-18 07:33 INOPIAE Note Added: 0004009
2013-05-21 22:08 INOPIAE Note Added: 0004020
2013-05-21 22:08 INOPIAE Status new => closed
2013-05-21 22:08 INOPIAE Assigned To => INOPIAE
2013-05-21 22:08 INOPIAE Resolution open => no change required