Ocsp response not accepted by firefox 44

I request an ocsp reponse used for ocsp stapeling by nginx
I get this ocsp answer including this:
Response verify OK
This Update: Jan 29 23:00:00 2016 GMT
Next Update: Feb 5 23:00:00 2016 GMT

the ocsp response is saved to a file and that file is referenced by nginx:
ssl_stapling_file /path/to/ocsp.response;

nginx is stopped and started again without errors.
firefix44 do not display content but
Ein Fehler ist während einer Verbindung mit www.example.org aufgetreten.
Die OCSP-Antwort enthält keinen Status für das zu prüfende Zertifikat.
(Fehlercode: mozilla_pkix_error_ocsp_response_for_cert_missing)

If I remove the ssl_stapling_file directive from nginx and restart the browser can display content.

Is the ocsp response broken somehow?


Ooops, possibly a misconfigation on my side.
will doublecheck tomorrow…

looks like I requested a certificate to often.
I did request a certificate on day #1
I did request a ocsp response on day #1, valid for ~7 days

I could renew a certificate after 90 day or just on day #2
But the oscp response is still valid for certififate from day #1

If now nginx use cert from day #2 and ocsp response from day #1 they obvious do not match and trigger the initial mentioned error message in firefox.

-> shouldn’t boulder deny renew for a FQDN more often then OCSP minimal lifetime?


It can be legitimate for people to have multiple overlapping certs at the same time for the same name, for example for different devices or services.