I’m having a bit of trouble getting https setup on a site.
I used zerossl to create the certificate. I updated an old certificate which was going to expire in March, and I discovered was not setup to encrypt the www domain.
The site loads fine with safari. The padlock icon shows and the certificate is what I expect. I’ve also checked with whynopadlock.com and it says everything is fine. But in Firefox, I get a ‘Secure Connection Failed’ message with error code MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING and with the ssllabs.com test I can see that the OCSP Stapling is invalid (No response provided). From the little bit of reading around the place, it looks like the OCSP Stapling is the issue - but I’ve no idea what I need to do to fix it.
The site is working for me in Firefox this morning.
OCSP stapling is a thing that can initially stuck and start working after some time (due to some not-so-good behavior of how web servers implement it), so could you update us as to whether you’re still experiencing the issue?
The response looks fine from the Let’s Encrypt side:
WARNING: no nonce in response
Response verify OK
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03016BDA5BD45D31FE969787F279147BAB22
Request Extensions:
OCSP Nonce:
04104A09BF34E7B5BCB88C58BD3B636B9911
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Feb 20 06:02:00 2018 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03016BDA5BD45D31FE969787F279147BAB22
Cert Status: good
This Update: Feb 20 06:00:00 2018 GMT
Next Update: Feb 27 06:00:00 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
6b:74:6e:89:ef:38:7d:b1:ff:43:5e:4e:2e:2a:70:d1:02:d3:
2f:6b:94:51:bf:9c:66:f6:9d:98:d6:f0:d1:7e:9a:3f:6d:d5:
83:55:6e:01:f0:b2:bf:44:4a:eb:f5:f7:cf:e5:e3:9d:5d:84:
7d:09:20:3d:f9:42:4e:c5:b0:17:e3:3c:c3:69:42:d9:45:47:
06:39:00:cd:40:31:c7:0e:b1:93:84:91:17:ed:b6:42:ab:b8:
d0:9d:8c:c0:0d:e8:1b:93:74:a9:1e:b2:d0:32:92:60:c3:0c:
1b:87:4b:36:11:32:58:e4:c6:02:ba:b3:1a:80:a0:32:42:44:
ee:2c:dd:b1:ef:32:5d:41:40:f5:5d:e5:d6:79:e5:9b:0f:96:
43:55:2d:ae:6d:22:47:6b:fa:06:91:c1:2c:0d:c2:a8:f1:d5:
85:b3:83:16:8a:4e:7e:54:17:a6:19:4f:30:3d:39:29:bf:ab:
33:f2:b2:78:0d:96:42:32:c8:a8:3a:85:0f:99:35:c8:d7:e6:
37:df:1a:65:c8:6f:05:94:d8:b5:9d:d7:62:d3:3f:2c:b4:3e:
de:4f:34:89:e5:17:07:5a:29:56:c9:45:52:4b:35:9a:b9:89:
0f:0b:ae:e5:4c:96:47:88:50:1c:5f:a9:5b:6a:a7:de:94:7e:
42:0f:89:a7
cert.pem: good
This Update: Feb 20 06:00:00 2018 GMT
Next Update: Feb 27 06:00:00 2018 GMT
The other post is right in that if there are stapling issues, it is up to your cPanel host to tune the OCSP stapling configuration on Apache, since unless you have root, you will not have access to that.
It’s working now for me too! I had read somewhere that it can get stuck and take time to work. Because I made a few mistakes, I had to create about 3 certificates from zeroSSL - so maybe things got bogged down there.