MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING when ocsp stapling turned on
Hi all, When I turn OCSP stapling on because of certificate transparency, I'm getting this error message in Firefox (v66.0.5):
An error occurred during a connection to XXX. The OCSP response does not include a status for the certificate being verified. Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING
Other browsers works fine and also check for OCSP response with openssl looks good: OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = SK, L = Bratislava, serialNumber = NTRSK-35975946, O = Disig a.s., OU = Responder 2_2, CN = OCSP SubCAR2I2 Disig
Produced At: May 16 07:42:58 2019 GMT
Responses:
Certificate ID:
Hash Algorithm: sha256
Issuer Name Hash: 133D9F995AD99F50DCBF6C9700F87A8D120D8E292537C6313CE998A5307EDCF3
Issuer Key Hash: 31B7347916C0FFBBBADE3AB3B3C27D716E66DCED86DAAC63422D58DAB3601900
Serial Number: 0CDFBB3F168802CFD9000000000000032C
Cert Status: good
This Update: May 16 07:42:54 2019 GMT
Next Update: May 16 15:42:54 2019 GMT
Any ideas, where should be an issue ?
I can turn off ocsp stapling in about:config:
security.ssl.enable_ocsp_stapling;false
and page works fine then, but site has lot off customers, so this is not relevant solution for me.
Thank you for all your hints...
由macrek于修改
被采纳的解决方案
Cor-el, great!
Thank you, Problem was with as CertID Hash algorithm. Thankfully, I have an option to change this algorithm to SHA1 on my SSL offloader / loadbalancer (F5 Big-IP).
Thank you.
定位到答案原位置 👍 0所有回复 (7)
Please provide a public link (no password) that we can check out. No Personal Information Please !
There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.
https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
Websites don't load - troubleshoot and fix error messages
is your server set up for ocsp stapling? https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
Yes, Server is configured with ocsp stapling. As you can see in output from openssl, it works. Without OCSP stapling would not work other browsers (i.e. Chrome) because of Certificate Transparency.
Page url: https://rpi.gov.sk
I had no problem with the link.
Looks like this bug (problem with SHA256)
- Bug 1489411 - Stapled OCSP response with SHA256 used in CertID causes MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING
选择的解决方案
Cor-el, great!
Thank you, Problem was with as CertID Hash algorithm. Thankfully, I have an option to change this algorithm to SHA1 on my SSL offloader / loadbalancer (F5 Big-IP).
Thank you.