Previous 1 2 3 4 5 Next 141 Replies Latest reply: May 2, 2016 3:58 AM by maple20 Go to original post
  • gurple Level 1 Level 1

    This problem seems to be a little more insedious than just ocspd not being able to validate from behind a proxy. I've seen such problems even when I'm not behind the proxy.

     

    Even worse it broke certificate based logins to our Cisco VPN since my certificate was issued by an intermediary CA which was suddenly listed as invalid. Even when I tried forcing every certificate in the chain as trusted (in both the login and System keychains), turned off the sane options of using OCSP and CRL in Keychain Access.app it still wouldn't work.

     

    Then I relaized that the daemons used to create the VPN run as the root user.

     

    I had to enable and login to the root user. From there set in Keychain Access.app all of the needed certificates as trusted in the System keychain for the root account.

     

    Now it all seems to function (mostly). There is still the problem of some certificates being marked as having an invalid key length as mentioned by another poster in the thread.

     

    I hope Apple gets this sorted out ASAP.

     

    I hope even more that I'll remember to bring my system back into a sane state after the fix.

  • dbajohn Level 1 Level 1

    did apple have any suggestions as to what to do.  At this point I'm suspecting that the Lion upgrade has made handling proxies more strict and some proxies are failing.  If I could accurately describe this to our internal IT folks I mght have a chance of getting close to a fix.

     

    Anything Apple said might be interesting.

  • marc from white river junction Level 1 Level 1

    Yes, but what about those of us who are not behind proxies who are experiencing the same problems?

  • Robke Level 1 Level 1

    My bug report has been closed as a duplicate of 11232763, so Apple is aware of the problem.

  • tcthomas Level 1 Level 1

    So, I went into my local Apple Store yesterday with this thread and my laptop to see if they had any ideas.  The 'genius' hadn't encountered this problem with anyone else and because we couldn't recreate it at the Store (because no proxy), he offered to install a bug tracker that would log all errors and then I could take the laptop back in and he could escalate it to engineering.  However, for a variety of other reasons, I do not have the patience or time to go through this and so asked him to roll it back to 10.7.3 and I won't update for a while.

     

    So, I'm afraid no solution, however, if someone has the time and patience, it does sound like there will be the option to get it looked at in detail.

     

    Sorry I couldn't be of more help guys.

  • kaltekar Level 1 Level 1

    Can you post your ug report to openradar so I can dup it?

  • Vibou Level 1 Level 1

    It is just INCREDIBLE ! Since I update from 10.7.3 to 10.7.4 I m running through major network problems including network configuration which is not saved correctly (e.g., credentials for proxy go back to blank once I close the window to set them). It keeps asking me for certificates all the times, smtp server connection is completely lost (in Mail application) all my extensions in Safari have been uninstalled without my approval.

     

    Anyway ! I bought a Mac because I know that I can rely on it all the time. But having such updates with those kind of bugs afterward I would rather stay on linux.

     

    So please Apple, do something and quick.

  • kaltekar Level 1 Level 1

    We were able to find a fix for this.  We disabled Online Certificate Status Protocal in Keychain Access's Preferences. 

     

    Screen Shot 2012-05-17 at 8.59.27 AM.png

  • sébastienfromquebec Level 1 Level 1

    It didn't work for me

  • marc from white river junction Level 1 Level 1

    It didn't work for me either, now restoring to 10.7.3 from Time Machine.

  • gurple Level 1 Level 1

    The only way I reliably got these intermediary CA certs to function was to force them as trusted via Keychain Access run under the root account. Otherwise System daemons which use the certs will balk.

  • kaltekar Level 1 Level 1

    Try tunring both OCSP and CRL off.

  • dbajohn Level 1 Level 1

    turned off both option in key chain preferences.

    rebooted.

    no change in behavior.  Still getting error accessing https sites.

    grrrrrrrrrrrrrr.

  • dbajohn Level 1 Level 1

    has anyone made any progress on this or heard anything from Apple. 

Previous 1 2 3 4 5 Next