Wireless Access

Reply
New Contributor
Posts: 3
Registered: ‎10-07-2011

Comodo OCSP - new IP address

For those of you running captive portal based upon a Comodo SSL certificfate, you might like to know that one of the IP addresses being returned by a DNS query of ocsp.comodoca.com has changed in the past couple of days.

 

This appears to be causing issues for MacOS Lion clients to be able to check the validity of the certificate.

 

ocsp.comodoca.com

WAS: 91.199.212.169, 91.209.196.169, 149.5.128.169

NOW: 91.199.212.169, 91.209.196.169, 178.255.83.1

 

The new IP address also resolves to oscp.usertrust.com which is part of some Comodo certificate chains.

If you've got captive portal clients reporting issues with getting the to captive portal page this might be worth checking out.

 

 

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: Comodo OCSP - new IP address

Thanks for the info!

Thanks,

Zach Jennings
Occasional Contributor II
Posts: 13
Registered: ‎05-26-2009

Re: Comodo OCSP - new IP address

[ Edited ]

Using Google's DNS at 8.8.8.8, ocsp.comodoca.com resolves to:

178.255.83.1

199.66.201.169

91.209.196.169

 

I would also add the following crl.comodoca.com:

178.255.83.2

 

-Robin-
Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: Comodo OCSP - new IP address


tomo wrote:

For those of you running captive portal based upon a Comodo SSL certificfate, you might like to know that one of the IP addresses being returned by a DNS query of ocsp.comodoca.com has changed in the past couple of days.

 

This appears to be causing issues for MacOS Lion clients to be able to check the validity of the certificate.

 

ocsp.comodoca.com

WAS: 91.199.212.169, 91.209.196.169, 149.5.128.169

NOW: 91.199.212.169, 91.209.196.169, 178.255.83.1

 

The new IP address also resolves to oscp.usertrust.com which is part of some Comodo certificate chains.

If you've got captive portal clients reporting issues with getting the to captive portal page this might be worth checking out.

 

 



Thanks for posting this. Our wireless users don't complain when things aren't working. If you hadn't have posted this, I wouldn't have known to test our CP SSID. After testing, our Geotrust cert wasn't working either. I found that they changed the Geotrust IP addresses as well. I posted those in their own thread.

 

Thanks again!

Thanks,

Zach Jennings
New Contributor
Posts: 3
Registered: ‎10-07-2011

Re: Comodo OCSP - new IP address

Of course, if you're using AOS 6.1.X you can build the PEF-NG rule to be based on DNS hostnames, which is probably the better long term solution :smileyhappy:

New Contributor
Posts: 3
Registered: ‎10-07-2011

Re: Comodo OCSP - new IP address

I got our cert provider to open a support call against Comodo to find out the IP ranges that they're likely to use, and I include their statement below.

 

The extent of the IP ranges that we can provide to you can be found below. This is not the full list as we may pull in blocks from other providers as load and need are required so customer should be using DNS (which is where we'll publish our IPs) vs. that having to plug in our netblocks. Customer may want to query our OCSP/CRL every so often (e.g. every day) from a server that doesn't have restrictions, grab the IPs, whitelist them on Firewall, rinse and repeat as needed..

 

* 91.209.196.0/24

* 91.199.212.0/24

* 178.255.80.0/21

* 149.5.128.0/24

 

Regards,

 

Technical Support

Search Airheads
Showing results for 
Search instead for 
Did you mean: