Firefox gives OCSP error


#1

Hi,

I set up a Let’s Encrypt certificate on stephenrank.me.uk via cPanel (it’s on shared Linux hosting). This worked fine for several months but now Firefox (both ESR v52.7.3 and latest v60 Beta) returns a MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error, it works OK on Chrome, Edge, and IE. Disabling security.ssl.enable_ocsp_stapling in Firefox’s about:config allows the site to load.

I’d be grateful for any help that you can give in figuring out what has caused this issue and how to resolve it. Thanks.

My domain is: stephenrank.me.uk

My web server is (include version): Apache 2.4.29 LiteSpeed 5.2.5

The operating system my web server runs on is (include version): Linux (unknown version)

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 68.0 (build 36)


#2

Here’s the problem.

Below we see the OCSP response from the server:

$ openssl s_client -connect stephenrank.me.uk:443 -servername stephenrank.me.uk -tlsextdebug -status
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "session ticket" (id=35), len=0
TLS server extension "status request" (id=5), len=0
TLS server extension "EC point formats" (id=11), len=2
0000 - 01                                                .
0002 - <SPACES/NULS>
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = stephenrank.me.uk
verify return:1
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Mar  8 02:46:00 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03589C4650F717DB6AF7369889584429A224
    Cert Status: good
    This Update: Mar  8 02:00:00 2018 GMT
    Next Update: Mar 15 02:00:00 2018 GMT

That serial number matches this certificate: https://crt.sh/?id=323644657

However, the certificate actually being served by the server is a different, newer serial (https://crt.sh/?id=385404236):

Serial Number:
    03:8f:27:b5:fe:c9:c7:e4:87:e2:c0:12:ec:20:90:ea:04:74

So, Apache is stapling an OCSP response for an old certificate, while also using a newer certificate.

When Firefox sees that the stapled OCSP response is for a different certificate to the actual certificate, it decides to bail out.

The solution, I believe, is to force Apache to drop its OCSP cache and fetch new responses. You need to ask your web host to do this (or wait it out, should be fine after an hour I think?)

This is either a terrible, terrible bug in Apache or a terrible, terrible bug in the Let’s Encrypt OCSP responder. I’m honestly not sure which one it’s more likely to be.


#3

The website seems to be using LiteSpeed, actually. Though Apache could also be involved.


#4

@_az Thanks for the information. If the issue doesn’t resolve itself I’ll contact the webhost.

@mnordhoff Thanks, I assumed the webhost was using Apache 2.4.29 based on the Server Information section in cPanel so take that with a grain of salt.


#5

Litespeed on cPanel is generally considered to be a no-config-change-required drop-in replacement for Apache anyway, perhaps it is bug compatible :cold_sweat: .


#6

I’ve received an independent report from a customer experiencing the same issue, also running Litespeed.

Peculiar timing.

For other visitors to this thread, please note that LSWS released v.5.2.6 on 2018-03-28, featuring the following item:

BUGFIX Fixed a bug introduced in 5.2.5 that triggered an OCSP response error in Mozilla Firefox.

Please ensure your LSWS installations are updated.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.