OCSP server suggests trying again later
I got the same message when viewing the site on Firefox.
It seems that the problem occurs when checking the revocation status of the StartSSL Intermediate certificate that was used to sign your certificate. It looks like their OCSP responder at ocsp.startssl.com
still isn’t correctly responding to requests.
I used the online SSL server test from Qualys SSL Labs to test your server. When checking the revocation status of StartCom Class 1 Primary Intermediate Server CA, it reports that
OCSP ERROR: Request failed with HTTP status: 500 [http://ocsp.startssl.com/ca]
I also used the OpenSSL s_client
diagnostic tool to check your server’s
response:
echo | openssl.exe s_client -connect www.grepper.net:443 -CAfile /usr/ssl/certs/ca-bundle.crt -status
The -status
option
sends a certificate status request to the server (OCSP stapling). The server response (if any) is printed out.
In your case, the response was:
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: trylater (0x3)
BTW, congratulations on scoring the A in the SSL Labs test. It’s a shame that you configured everything correctly but were let down by external factors outside your control. I had been considering converting some personal sites to use HTTPS (and HSTS) with certificates from StartSSL but I wasn’t aware until now that there was such a critical reliance on the CA’s OCSP responder(s).
I had this problem, too, but it was entirely dependent on the browser I used. I got the issue with Firefox only and only occasionally (when the StartSSL OCSP server for my server's StartSSL cert was down).
To fix it in Firefox, which enables you to navigate to your StartSSL site even when their OCSP server is down, navigate to "about:config" and set
security.ssl.enable_ocsp_must_staple
to false.