Ocsp response not accepted by firefox 44


#1

I request an ocsp reponse used for ocsp stapeling by nginx
I get this ocsp answer including this:
Response verify OK
This Update: Jan 29 23:00:00 2016 GMT
Next Update: Feb 5 23:00:00 2016 GMT

the ocsp response is saved to a file and that file is referenced by nginx:
ssl_stapling_file /path/to/ocsp.response;

nginx is stopped and started again without errors.
firefix44 do not display content but
Ein Fehler ist während einer Verbindung mit www.example.org aufgetreten.
Die OCSP-Antwort enthält keinen Status für das zu prüfende Zertifikat.
(Fehlercode: mozilla_pkix_error_ocsp_response_for_cert_missing)

If I remove the ssl_stapling_file directive from nginx and restart the browser can display content.

Is the ocsp response broken somehow?

Andreas


#2

Ooops, possibly a misconfigation on my side.
will doublecheck tomorrow…


#3

looks like I requested a certificate to often.
I did request a certificate on day #1
I did request a ocsp response on day #1, valid for ~7 days

I could renew a certificate after 90 day or just on day #2
But the oscp response is still valid for certififate from day #1

If now nginx use cert from day #2 and ocsp response from day #1 they obvious do not match and trigger the initial mentioned error message in firefox.

-> shouldn’t boulder deny renew for a FQDN more often then OCSP minimal lifetime?

Andreas


#4

It can be legitimate for people to have multiple overlapping certs at the same time for the same name, for example for different devices or services.