OCSP Error with Firefox (Resolved)

I’m having a bit of trouble getting https setup on a site.

I used zerossl to create the certificate. I updated an old certificate which was going to expire in March, and I discovered was not setup to encrypt the www domain.

The site loads fine with safari. The padlock icon shows and the certificate is what I expect. I’ve also checked with whynopadlock.com and it says everything is fine. But in Firefox, I get a ‘Secure Connection Failed’ message with error code MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING and with the ssllabs.com test I can see that the OCSP Stapling is invalid (No response provided). From the little bit of reading around the place, it looks like the OCSP Stapling is the issue - but I’ve no idea what I need to do to fix it.


My domain is: https://bmwn.qcca.org.au

I ran this command: used zerossl

It produced this output:

My web server is (include version): (not sure)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

Hi,

I’m not quite sure how to setup valid ocsp on cPanel.

You probably need to reach your hosting provider or cPanel support.

Hi Dan,

The site is working for me in Firefox this morning.

OCSP stapling is a thing that can initially stuck and start working after some time (due to some not-so-good behavior of how web servers implement it), so could you update us as to whether you’re still experiencing the issue?

The response looks fine from the Let’s Encrypt side:

WARNING: no nonce in response
Response verify OK
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 03016BDA5BD45D31FE969787F279147BAB22
    Request Extensions:
        OCSP Nonce: 
            04104A09BF34E7B5BCB88C58BD3B636B9911
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Feb 20 06:02:00 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03016BDA5BD45D31FE969787F279147BAB22
    Cert Status: good
    This Update: Feb 20 06:00:00 2018 GMT
    Next Update: Feb 27 06:00:00 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption
        6b:74:6e:89:ef:38:7d:b1:ff:43:5e:4e:2e:2a:70:d1:02:d3:
        2f:6b:94:51:bf:9c:66:f6:9d:98:d6:f0:d1:7e:9a:3f:6d:d5:
        83:55:6e:01:f0:b2:bf:44:4a:eb:f5:f7:cf:e5:e3:9d:5d:84:
        7d:09:20:3d:f9:42:4e:c5:b0:17:e3:3c:c3:69:42:d9:45:47:
        06:39:00:cd:40:31:c7:0e:b1:93:84:91:17:ed:b6:42:ab:b8:
        d0:9d:8c:c0:0d:e8:1b:93:74:a9:1e:b2:d0:32:92:60:c3:0c:
        1b:87:4b:36:11:32:58:e4:c6:02:ba:b3:1a:80:a0:32:42:44:
        ee:2c:dd:b1:ef:32:5d:41:40:f5:5d:e5:d6:79:e5:9b:0f:96:
        43:55:2d:ae:6d:22:47:6b:fa:06:91:c1:2c:0d:c2:a8:f1:d5:
        85:b3:83:16:8a:4e:7e:54:17:a6:19:4f:30:3d:39:29:bf:ab:
        33:f2:b2:78:0d:96:42:32:c8:a8:3a:85:0f:99:35:c8:d7:e6:
        37:df:1a:65:c8:6f:05:94:d8:b5:9d:d7:62:d3:3f:2c:b4:3e:
        de:4f:34:89:e5:17:07:5a:29:56:c9:45:52:4b:35:9a:b9:89:
        0f:0b:ae:e5:4c:96:47:88:50:1c:5f:a9:5b:6a:a7:de:94:7e:
        42:0f:89:a7
cert.pem: good
  This Update: Feb 20 06:00:00 2018 GMT
  Next Update: Feb 27 06:00:00 2018 GMT

The other post is right in that if there are stapling issues, it is up to your cPanel host to tune the OCSP stapling configuration on Apache, since unless you have root, you will not have access to that.

1 Like

Thanks, @_az and @stevenzhu,

It’s working now for me too! I had read somewhere that it can get stuck and take time to work. Because I made a few mistakes, I had to create about 3 certificates from zeroSSL - so maybe things got bogged down there.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.