0

I am using a Debian/Apache webserver with up-to-date software and a SSL certificate to encrypt the communication via HTTPS. In February the old certificate expired and I got me a new one (CA Geotrust via CA RapidSSL). Like the one before.

In Firefox (Chrome, ...) everything works fine. But after the old certificate finally expired after 2 weeks, Internet Explorer says the certificate has expired - leave the page? Appearently the old certificate is stuck in the browser cache and has not been updated since.

And the thing ain't done with clearing the browser cache. I actually had to reset the IE settings to make it reload the new certificate. As it works by now, I guess that the server delivers the correct certificate. But there are still other users who report the same problem - so it wasn't my browser alone.

My best guess is that something in the old cert or my cache suggestions told the IE to store the certificate for a long while. But I have no clue how to solve this - or even what to change so I don't have the same problem next year, again.

Thanks for any ideas!

BurninLeo

BurninLeo
  • 4,240
  • 4
  • 39
  • 56
  • Are you saying that you were still able to connect to your website and see new content (not just cached content too) but that it was still using the trust settings referring to the old certificate? That sounds like it could be a security issue. (I guess this may be OS dependent: XP or Vista/7.) – Bruno Mar 01 '12 at 13:49
  • A few minutes after uploading the new cert, I could access the website (not from cache), but the browser reported the old cert in the security information. I did actually not check which cert was used for encryption - however it should not have been possible to the the old cert for this (the server does not use the old one any more...). Firefox showed the new cert immediately. – BurninLeo Mar 01 '12 at 13:53
  • 1
    IE doesn't cache certificates across restarts, as there is no point in doing so. There is some other configuration issue. Take a network capture and look at what the server is sending on the wire. – Nasko Mar 01 '12 at 16:19
  • Thank you - that was the solution. Appearently Confixx updated the certificate - but the old cert also remained in the directory and the configuration files. I am no yet sure why the server sent the old cert in some situations and the new one in others (at least the cert is configured via IP address). The point is that IE seems innocent (although no other browser received the old cert) and it actually was a configuration error... – BurninLeo Mar 02 '12 at 08:42

1 Answers1

1

I had a similar problem. In fact it is IE under XP who don't support several HTTPS subdomaine on a single IP address.

http://nginx.org/en/docs/http/configuring_https_servers.html#sni

So if you have also several domains or subdomains in same IP you can't solve this on XP/IE you can just choose which certificat is used by XP/IE but it will be the same for all subdomaine.

PiR

PiR
  • 175
  • 9
  • To my best knowledge, SSL does not support multiple domain names for one IP-address at all. The relevant HOST-part of the request is already encrypted. "That's why SSL on vhosts doesn't work too well" http://stackoverflow.com/questions/187655/are-https-headers-encrypted – BurninLeo Dec 03 '12 at 13:01