OCSP stapling error firefox


#1

My domain is: https://hakenandhaken.com/
I ran this command: Qualys test
It produced this output: OCSP Stapling invalid
My web server is (include version): Apache 2.4 / Litespeed 5.2.5
The operating system my web server runs on is (include version): Centos 7 with cPanel 68.0.30 / CloudLinux 7.4

This last week we have had numerous users state OCSP stapling errors with SSL were stopping their sites loading within Mozilla Firefox and on testing this can indeed be replicated, what’s strange is this issue does not seem to be happening with other LE issued certs on the same hosting account/server which leads me to believe there is an OSCP error somewhere at LE’s end?

Testing with openssl the server does show that stapling is enabled therefore I’m not sure where else to look - Any help would be greatly appreciated.

Many Thanks,
Stewart.


#2

Hi @kstewart,

If it were an error on LE side you would see a lot of people complaining here ;).

Seems your server is sending an OCSP response but the response is for January 29th (This Update: Jan 29 21:00:00 2018 GMT)

$ echo | openssl s_client -connect hakenandhaken.com:443 -servername hakenandhaken.com -status 2>/dev/null | awk '/OCSP Respo/,/---/'
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jan 29 21:22:00 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 036742D3FED620CE82948B8BFC5CAF5E8714
    Cert Status: good
    This Update: Jan 29 21:00:00 2018 GMT
    Next Update: Feb  5 21:00:00 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption
         83:57:f6:da:84:b1:f2:a3:2e:6f:a5:8d:1e:66:b1:a6:b1:b3:
         8e:88:ef:da:eb:89:a5:de:62:e0:f2:97:29:6d:25:12:7d:9d:
         41:2f:2b:2e:70:46:6b:34:52:a5:43:93:01:77:30:5e:cb:5d:
         f0:da:be:94:c6:b2:1a:e9:40:32:11:ba:ba:09:d9:4b:72:b4:
         9c:a5:39:ed:03:18:d8:e1:af:df:2e:d0:8d:5a:55:d7:6c:39:
         4b:d8:21:d7:c1:0b:ab:7e:04:6a:62:9b:0e:30:b3:eb:8f:a8:
         b3:d4:13:d9:c3:50:ad:dd:1e:aa:33:27:43:9d:b6:4f:0b:43:
         24:50:5c:49:1c:dc:b6:48:f6:76:4b:5f:3b:bd:52:b5:e5:7e:
         e7:24:08:13:be:cd:e4:c8:2f:9b:c2:f2:0f:68:68:ed:d6:48:
         71:6e:06:17:05:70:f8:d0:3b:34:91:24:2d:8d:8c:6f:4c:21:
         e5:44:f8:95:67:ed:fb:8a:0f:6a:6b:9b:fb:2f:99:94:8e:ef:
         3e:4b:3b:cb:c3:1c:bd:02:9e:59:ca:6a:9f:09:f0:8c:01:17:
         ea:07:5f:40:6b:08:f4:b8:01:41:5e:c1:93:d1:0f:f2:eb:c9:
         55:32:47:16:90:8d:1d:a6:ce:3a:ec:94:ce:6c:1f:71:da:54:
         8e:f3:11:d5
======================================
---

For whatever reason, your Litespeed server is not getting a fresh OCSP Response.

1.- Check whether can get an OCSP Response for your cert from that server because maybe it is a DNS, firewall, network issue… who knows :).

 openssl ocsp -no_nonce -issuer /path/to/chain.pem -cert /path/to/cert.pem -VAfile /path/to/chain.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host=ocsp.int-x3.letsencrypt.org

Change /path/to/ with the right path where you have cert.pem and chain.pem files for your domain hakenandhaken.com

2.- You could try to restart Litespeed and once done, try to browse your domain, once and after 30 seconds try again to reach it to see if your web server has refreshed the cached OCSP Response.

Note: I’m talking about Litespeed because seems it is your front end but maybe the problem is in Apache side…

3.- I can’t see a must staple policy in your cert so you could be able to disable Stapling on your web server… just in case. Also, I don’t know if it can be disabled nor how to do it as you are using CPanel and Litespeed and I’ve never used any of them.

Good luck,
sahsanu


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.