We had an issue just last week where we were getting certificate revocation errors across the Enterprise.
This ended up being due to a change in the GoDaddy CRL IP. We have crl.godaddy.com and certificates.godaddy.com host entries but as the IP was noted in our firewall as now the "old" IP, we had issues. Take a look at this valuable link under the "Access to CRL and OCSP Services"..... http://support.godaddy.com/help/article/6723/verifying-a-certificates-validity-on-your-computer We ended up adding all host entries as well as all IP Policies to all of these hosts in our Managers. Our firewall guys added these as well. I checked with GoDaddy support and they do NOT have an email subscription service you can join to be notified of IP and/or hostname changes. Fun, fun fun! Steve Stockmal Enterprise Network Services Intermountain Healthcare 4646 West Lake Park Blvd. Salt Lake City, UT 84120 Office: (801) 442-6023 [email protected] ITIL V3 Foundations -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Kurt Huenemann Sent: Monday, August 27, 2012 7:31 AM To: [email protected] Subject: Re: Apple Safari users get certificate warning from CAS server Just a "me too" to say that we had to add crl.godaddy.com and ocsp.godaddy.com entries to get our MacOS 10.7.4 users online. Also, MacOS 10.8 users have to relax their default Gatekeeper settings in order to download the NAC Agent. Those two items got most of our Mac users online during move-in weekend here. Kurt E. Huenemann Heidelberg University Tiffin, Ohio 44883 Do not ever e-mail your password to anyone. CNIT will never ask for your password in an e-mail. On Mon, Jul 9, 2012 at 1:27 PM, Dennis Xu <[email protected]> wrote: > > We already had all the crl.* entries. Adding the ocsp.* entries fixed the > issue for us. > > Thanks! > > --- > Dennis Xu > Network Analyst, Computing and Communication Services University of > Guelph > 5198244120 x 56217 > > ----- Original Message ----- > From: "Don Nightingale" <[email protected]> > To: [email protected] > Sent: Monday, July 9, 2012 11:29:15 AM > Subject: Re: Apple Safari users get certificate warning from CAS > server > > Macs started using ocsp by default in the latest release. The servers > used aren't in the default allowed hosts list for the > unauthenticated/temp roles. > > Try adding the ocsp.* host entries for your cert provider in the > unauthenticated and temp roles. This cleared up the problem for us > (CCA 4.8.2). > > -- > Don > > > > On 7/9/2012 11:07 AM, Kelly Slone wrote: > > I have noticed the same issue with a new cert we have installed for > > our guest wireless implementation of ISE. The "invalid certificate > > issuer" error is only seen from clients running 10.7.x Lion that are > > using Safari. We do not see this issue on ipads, iphones, windows > > machines, or other OS X versions even including the latest developers seed > > of 10.8 Mountain Lion. > > > > Thank you, > > > > Kelly Slone, B.S., MCP > > Telecom Specialist II > > Marshall University Computing Services Drinko Library DL 434A > > Office: 304-696-6109 > > Helpdesk: 304-696-3200 > > [email protected]
