X
Tap here to go to the mobile version of the site.

منتدى الدعم

Firefox randomly does not receive certificate from websites I run. SEC_ERROR_OCSP_MALFORMED_RESPONSE is the error.

Posted

Good Afternoon,

I run a few docker containers that I have a reverse proxy setup with "letsencrypt" on some subdomains I own. Randomly, FF (both mobile and desktop) refuses to load those pages and returns a "SEC_ERROR_OCSP_MALFORMED_RESPONSE" error. I'm also not able to pull up the certificate at all. FF will randomly work just perfect with these sites however.

Also, when FF is unable to open these sites, every other browser I tried is able to. Other browsers that worked, IE, Edge, Safari, Samsung Browser, Chrome, Safari on IOS.I already tried to start FF in safe mode, to no avail.

I was also able to use this website: " https://check-your-website.server-daten.de" to check the certificate status, and everything came back green.

    • Edit** I will add that I've deleted all the site data, gone through every single useful google result page as well. My system date and time is also correct, as is the server I run.

Any help is appreciated. Thank you!

Good Afternoon, I run a few docker containers that I have a reverse proxy setup with "letsencrypt" on some subdomains I own. Randomly, FF (both mobile and desktop) refuses to load those pages and returns a "SEC_ERROR_OCSP_MALFORMED_RESPONSE" error. I'm also not able to pull up the certificate at all. FF will randomly work just perfect with these sites however. Also, when FF is unable to open these sites, every other browser I tried is able to. Other browsers that worked, IE, Edge, Safari, Samsung Browser, Chrome, Safari on IOS.I already tried to start FF in safe mode, to no avail. I was also able to use this website: " https://check-your-website.server-daten.de" to check the certificate status, and everything came back green. **Edit** I will add that I've deleted all the site data, gone through every single useful google result page as well. My system date and time is also correct, as is the server I run. Any help is appreciated. Thank you!

Modified by colt2

Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

More Information

FredMcD
  • Top 10 Contributor
4308 solutions 60484 answers
https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page
Was this helpful to you?
Quote

Question owner

So, I think I have it figured out! In case anyone else comes across this post as lost as I was. I'll outline it below

I have an unraid server running several docker containers through a reverse proxy using subdomains. '

The behavior was that Firefox would pull the docker website randomly, but most of the time it would error out with the error listed in the title. All other browsers would work. Using FredMcD's second link I was able to go into Firefox's about:config and set "security.ssl.enable_ocsp_stapling" to false and it would work, but it made me feel less secure.

The actual fix, to fix the letsencrypt nginx reverse proxy was as follows. Go into your Unraid rootshare (a youtuber named spaceinvaderone has a two minute video on how to do this). Go to appdata -> letsencrypt -> nginx and open ssl.conf with a text editor.

Go down to this part in the text:

# OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=30s; # Docker DNS Server ' The line starting with "resolver" was set to something like "127.10.0.1" which doesn't actually resolve anything. I set it to "1.1.1.1" which is Cloudfares DNS, and then Firefox started loading the site just fine!

I still have no idea why it would work randomly, but it's fixed now. Thanks FredMcD for setting me on the right path.

Welp, everything above this line did not fix it. It just broke again :(

So, I think I have it figured out! In case anyone else comes across this post as lost as I was. I'll outline it below I have an unraid server running several docker containers through a reverse proxy using subdomains. ' ''The behavior was that Firefox would pull the docker website randomly, but most of the time it would error out with the error listed in the title. All other browsers would work. Using FredMcD's second link I was able to go into Firefox's about:config and set "security.ssl.enable_ocsp_stapling" to false and it would work, but it made me feel less secure. The actual fix, to fix the letsencrypt nginx reverse proxy was as follows. Go into your Unraid rootshare (a youtuber named spaceinvaderone has a two minute video on how to do this). Go to appdata -> letsencrypt -> nginx and open ssl.conf with a text editor. Go down to this part in the text: ''# OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=30s; # Docker DNS Server ' The line starting with "resolver" was set to something like "127.10.0.1" which doesn't actually resolve anything. I set it to "1.1.1.1" which is Cloudfares DNS, and then Firefox started loading the site just fine! ''I still have no idea why it would work randomly, but it's fixed now. Thanks FredMcD for setting me on the right path. '''''Welp, everything above this line did not fix it. It just broke again :('''''

Modified by colt2

Was this helpful to you?
Quote

Question owner

FredMcD said

https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page

So I thought I had this fixed, but alas I am still getting the error. Gone through those links several times now, and the only solution is to go into about:config and turn off OCSP, which doesn't sound ideal.

Any other thoughts?

''FredMcD [[#answer-1280746|said]]'' <blockquote> https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page </blockquote> So I thought I had this fixed, but alas I am still getting the error. Gone through those links several times now, and the only solution is to go into about:config and turn off OCSP, which doesn't sound ideal. Any other thoughts?
Was this helpful to you?
Quote
FredMcD
  • Top 10 Contributor
4308 solutions 60484 answers

Helpful Reply

I called for more help.

I called for more help.
Was this helpful to you? 1
Quote

Question owner

FredMcD said

I called for more help.

Ok, I appreciate that!

I've attached the certificate view from when it randomly works to this message.

''FredMcD [[#answer-1280789|said]]'' <blockquote> I called for more help. </blockquote> Ok, I appreciate that! I've attached the certificate view from when it randomly works to this message.
Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17683 solutions 159985 answers

Helpful Reply

See also: *https://www.digicert.com/help/ *https://www.digicert.com/ssl-support/nginx-enable-ocsp-stapling-on-server.htm *https://www.google.com/search?sa=N&num=100&q=ssl_stapling_verify *https://certificate.revocationcheck.com/
Was this helpful to you? 1
Quote

Question owner

First URL gives me an error, but the last one gives me some more information. I will do some digging and report back., I really appreciate your response!

First URL gives me an error, but the last one gives me some more information. I will do some digging and report back., I really appreciate your response!
Was this helpful to you?
Quote

Question owner

Ok, so I am unfortunately still stuck on this. I have one website that tells me that I have OCSP stapling enabled:

https://globalsign.ssllabs.com/analyze.html

But the digicert.com/help link says I don't. However, following it's SSL-support link I do have have the intermediate certificate attached.


I have been through all of those URL's and a few others several times now, and nothing seems to be working. Although at this point I believe the issue to be with either Letsencrypt or nginx. I'm going to reach out to their communities and see if they have anything to say. Thanks!

Ok, so I am unfortunately still stuck on this. I have one website that tells me that I have OCSP stapling enabled: https://globalsign.ssllabs.com/analyze.html But the digicert.com/help link says I don't. However, following it's SSL-support link I do have have the intermediate certificate attached. I have been through all of those URL's and a few others several times now, and nothing seems to be working. Although at this point I believe the issue to be with either Letsencrypt or nginx. I'm going to reach out to their communities and see if they have anything to say. Thanks!
Was this helpful to you?
Quote
اطرح سؤالا

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.