website issue: 'ocsp response for cert missing' error code
Hi there,
My website sparticipant.dev.pivt.nl is having some issues on Firefox browsers (I'm seeing the issues with Firefox Version 76.0.1 (64-bits) on windows.
When I navigate to my website, I get the following message:
Secure Connection Failed
An error occurred during a connection to sparticipant.dev.pivt.nl. The OCSP response does not include a status for the certificate being verified.
Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING.
I checked my website's cert and looking at OCSP_RESPONSE_DATA, I think a response is sent. I tried with Chrome and that works well.
What am I missing here?
Details below:
$ openssl s_client -connect sparticipant.dev.pivt.nl:443 -status CONNECTED(00000005) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = sparticipant.dev.pivt.nl verify return:1 OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: May 29 13:11:00 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 036F20B0259D13DB32A13163432445AB63B3 Cert Status: good This Update: May 29 13:00:00 2020 GMT Next Update: Jun 5 13:00:00 2020 GMT
Signature Algorithm: sha256WithRSAEncryption 77:ac:d1:00:24:f2:3b:d9:7e:88:5e:1b:9e:9b:67:f4:69:23: 5b:ad:27:b6:04:be:2a:f4:16:c4:e9:2f:37:aa:82:4e:ac:40: 1f:29:9b:b6:4d:9d:2a:4c:50:91:34:3b:9e:de:da:1d:c3:40: 59:52:8b:88:8b:38:f0:3a:de:13:ef:be:e7:52:34:a6:f4:b9: 38:51:a5:07:97:3d:f0:73:6e:27:4c:02:f0:32:f8:e2:9a:51: 61:d1:13:f7:4d:fd:4d:64:da:2f:64:26:e9:bc:77:59:7a:c6: 8a:98:7d:cb:8b:8b:c1:fa:7d:cf:36:e0:cc:a1:ec:43:88:a0: 65:05:01:19:b7:f9:c5:35:82:a2:aa:89:c3:cf:48:15:e2:b5: 2c:73:db:e5:84:1c:7c:66:e2:f6:69:d0:2a:94:1c:b8:14:e6: 42:14:37:eb:8e:05:bd:d8:d4:11:f2:37:b8:04:b1:3c:95:c1: f4:4a:24:d1:26:93:8d:61:14:7e:15:96:a3:9d:78:ef:36:23: 44:6a:b8:1f:c2:4a:fa:cf:bb:e5:fb:4d:92:9a:ff:af:e8:b9: bd:ed:00:a5:5f:c1:b1:c9:45:f3:35:de:0a:06:99:ae:86:4c: 82:61:5d:0c:4c:1e:f8:bc:9d:6b:b1:1d:3e:ae:06:14:d1:85: 1b:0f:77:49 ====================================== --- Certificate chain 0 s:CN = sparticipant.dev.pivt.nl i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFaTCCBFGgAwIBAgISA1nDVSw4hPqQn+90k0Mi5a5vMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA2MDExMTEwNThaFw0y MDA4MzAxMTEwNThaMCMxITAfBgNVBAMTGHNwYXJ0aWNpcGFudC5kZXYucGl2dC5u bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOg1ep3zPYtoJenFdaJ0 GSVz4n8AUX4FoPd2MRlR+T82ujEMplSmJNdmomQGiwaCZ/MPTkz+NtPZ4trUmaIW n674NHh/YQDkusYLUZ/OrOxdfrYkKZAYc2zNYHJZapMPCxryEbMLpAei6niiSxsE jJ06gptrSA0bhqK6K5DaypzxrSeW1CzfeKdjtz7j5T2iNS/zp/pLL0woPDnn+znd hMbG+5J49QN9ES8KoGUwZg8VE7kGSeSn45VWNb6SPtfAp/gVX0+MoMmGfG8+Aj70 EMFusMkb1dfrhpng8++n15f1zC6dXYpc2yUthhFcmVd7lWI1rpZKPi8Dqcp7R0EL FWcCAwEAAaOCAm4wggJqMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUIvyG9zUz2qYm Dl2cl4MQn6md4eswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0 c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0 c2VuY3J5cHQub3JnLzAjBgNVHREEHDAaghhzcGFydGljaXBhbnQuZGV2LnBpdnQu bmwwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQC BIH2BIHzAPEAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXJv ysI3AAAEAwBHMEUCIQDE9hIDVXxgV4q+8SfF0houQGl9BVEADGDKtrCRdKLbkwIg MyBYVxtQePIEN3JBPaZwoFf/2F54MK6pQqA8wIm+3IIAdwCyHgXMi6LNiiBOh2b5 K7mKJSBna9r6cOeySVMt74uQXgAAAXJvysIKAAAEAwBIMEYCIQCsXZ6Qm4s/RIgS qMJZ+OHoYu3VC32CwiEFcA1fye3YygIhAJxc1hi/lLIaQexU4y2dnyZcD8Raj4Us WIjK/iqPhTNXMA0GCSqGSIb3DQEBCwUAA4IBAQBvef37hVDd5gb2v9JtkvmKokLr 1TgjlATI/Ik3vw36lt48GnFDHH4oI2bdZpYPPhpeIVGez6qwwW+dTqJkLksN93tm HqMrYZ5y+QjnlQd2g+L5Jpt4/IJ/KVmb9ilkXQmIthNJ8Uqn1dR3ghTE2nx1wMgA svPqwA7AG0quDrSByxegxctgRxY1kzMBtl1a24cxFJRF8nUZgD93VLdkwyD+RY8b 4r0R17B2pItXRrznRVShiiLIHNxAcXFk/40N3VEjhNmynCCwRJbeamE3p3IW10tf FQhHXZcL1uh9e/P0ZRimB+n2GUVxnnaVJri8yic7KsQQNu283Kqn5BKFJ2Gq -----END CERTIFICATE----- subject=CN = sparticipant.dev.pivt.nl
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
--- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3592 bytes and written 428 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: AE047012B0EC95A71C8A50983574B93BCBBC4438B66AE7A79E4C9B4CF6804FD6 Session-ID-ctx: Master-Key: C5BD7B3E6DB5EA3F723B4BA5A87C94923D2112E27832503C34DD11CE58949B5A692E7E2523CA9BBF38DD6098853FB682 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1591174506 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- closed
UPDATE June 5th 2020:
Somehow the issue resolved itself, I do not understand why, nor what was wrong in the first place. Any ideas as to the cause shared are highly appreciated still
Wót Ludo
Wšykne wótegrona (4)
Please ignore seekhelp's post - it's a scam !
Problem went away, and is now back at another domain name: https://portal.stag.pivt.nl/ nginx setup is the same, and on chrome this works, but yet on Firefox it does not. Help is appreciated.
Cheers,
Ludo
the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.
AMAN ARYAN said
the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.
I did not disable ocsp on the server then. After some the issue just went away, which I'm not comfortable with. This issue got back on other environments (clusters), when I updated my ingress settings with a new tls certificate as a result. For now I switched off ocsp stapling, as my team could not get their work done, but I now need to dig further on this. It is occurring more often now and I want to prevent our production setup from suffering the same (to me 'random') issues.
Any help or insight is very welcome, as I don't know what to do here. I did see some references to https://bugzilla.mozilla.org/show_bug.cgi?id=1489411 but that was 2 years ago and the bug was closed, so I'm assuming this si fixed in the latest firefox release, right? edit: hash algorithm is already sha1, so that bug does not apply to my case
Wót Ludo