Try to rename the cert8.db file (cert8.db.old) and delete the cert_override.txt file in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored.

If that has helped to solve the problem then you can remove the renamed cert8.db.old file.

Firefox will automatically store intermediate certificates that servers send in the Certificate Manager for future use.

You can use this button to go to the current Firefox profile folder:

• Help -> Troubleshooting Information -> Profile Directory:
  Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder
• http://kb.mozillazine.org/Profile_folder_-_Firefox

Does this problem occur just on a particular website? It's not the kind of error you would expect to see on a lot of sites because it most likely indicates an error in how the certificates are being served.

We had a thread from the other day where the poster disabled OCSP stapling as a workaround for this error code. With stapling, Firefox accepts a file from the web server itself to validate its certificate rather than checking with the issuer directly. This is faster and more private. But if the web server sends a problematic verification, it will fail. If you find that is the problem with the site you're trying to visit, please let them know.

https://support.mozilla.org/questions/1148198

I cannot find the cert_override.txt file in the Firefox profile folder.

jscher2000: It has happened on a couple of websites now. Those same sites work using other browsers, and may work on the second or third try sometimes using FF. I'm not familar with this OCSP Stapling. How would I check to see it is disabled?

Hi JoBlow, please see the thread I linked to for the steps to enable or disable stapling.

jscher2000: I switched from enabled to disabled. www.foboko.com loaded, but loaded sluggishly. I can't remember the other site. Know of any I can test with?

JoBlow said

jscher2000: I switched from enabled to disabled. www.foboko.com loaded, but loaded sluggishly.

Hmm, I think StartCom / StartSSL was the issuer in the other thread, too. Maybe they are having a problem, or maybe something is a bit odd on the server side: after it failed in Firefox, I tried the site in Chrome for comparison, and then a few minutes later the site loaded in Firefox just fine. ???

That server has other configuration issues which undermine its security: https://www.ssllabs.com/ssltest/analyze.html?d=www.foboko.com

I can't remember the other site. Know of any I can test with?

Not that I can think of. It has been a rare problem here.

So is this a security issue I need be concerned with?

What would you advise?

I think it depends on your paranoia level.

For random browsing, I wouldn't bother trying to solve it and just move on to another site.

If you use it often, I suggest alerting the site to the problem to see whether they can find a solution on their side.

If you disable stapling but leave OCSP checks enabled, then Firefox will validate the certificate directly with the issuer. However, this is a privacy leak because the issuer knows that someone using Firefox at your IP address is visiting that secure site. Unfortunately, there doesn't appear to be a perfect solution...

Just an observation: I note the https site https://www.foboko.com/ is not secure according to this analysis

• https://www.ssllabs.com/ssltest/analyze.html?d=www.foboko.com

And includes error message

OCSP ERROR: Request failed with HTTP status: 502 http://ocsp.startssl.com 

This site uses OCSP stapling.

Here is how I have it setup right now. If you could look and advise. Thanks. (uploaded .png of about:config OCSP settings

Hi JoBlow, my understanding of those settings is that Firefox will not accept the OCSP verification from the web server and will instead check with the certificate issuer.