I set up a Let’s Encrypt certificate on stephenrank.me.uk via cPanel (it’s on shared Linux hosting). This worked fine for several months but now Firefox (both ESR v52.7.3 and latest v60 Beta) returns a MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error, it works OK on Chrome, Edge, and IE. Disabling security.ssl.enable_ocsp_stapling in Firefox’s about:config allows the site to load.
I’d be grateful for any help that you can give in figuring out what has caused this issue and how to resolve it. Thanks.
However, the certificate actually being served by the server is a different, newer serial (https://crt.sh/?id=385404236):
Serial Number:
03:8f:27:b5:fe:c9:c7:e4:87:e2:c0:12:ec:20:90:ea:04:74
So, Apache is stapling an OCSP response for an old certificate, while also using a newer certificate.
When Firefox sees that the stapled OCSP response is for a different certificate to the actual certificate, it decides to bail out.
The solution, I believe, is to force Apache to drop its OCSP cache and fetch new responses. You need to ask your web host to do this (or wait it out, should be fine after an hour I think?)
This is either a terrible, terrible bug in Apache or a terrible, terrible bug in the Let’s Encrypt OCSP responder. I’m honestly not sure which one it’s more likely to be.