Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Error code: SEC_ERROR_OCSP_BAD_SIGNATURE on Some Websites

  • 12 replies
  • 1 has this problem
  • Last reply by jscher2000

more options

One of the techs at Bleepingcomputer suggested I contact you for this problem. They went through my computer for malware and gave me a clean bill of health. Tech said he knows it has something to do with certificates, and that he wasn't really an expert on FF. I have several addons that contain important data I would hate to lose. So I'm wondering if there is an easy way of doing this without reinstalling FF and all of the addons again, backing up and restoring data.

I'm using W10 and FF 64-bit. It's a Lenovo laptop.

All Replies (12)

more options

Try to rename the cert8.db file (cert8.db.old) and delete the cert_override.txt file in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored.

If that has helped to solve the problem then you can remove the renamed cert8.db.old file.

Firefox will automatically store intermediate certificates that servers send in the Certificate Manager for future use.

You can use this button to go to the current Firefox profile folder:

more options

Does this problem occur just on a particular website? It's not the kind of error you would expect to see on a lot of sites because it most likely indicates an error in how the certificates are being served.

We had a thread from the other day where the poster disabled OCSP stapling as a workaround for this error code. With stapling, Firefox accepts a file from the web server itself to validate its certificate rather than checking with the issuer directly. This is faster and more private. But if the web server sends a problematic verification, it will fail. If you find that is the problem with the site you're trying to visit, please let them know.

more options

I cannot find the cert_override.txt file in the Firefox profile folder.

more options

jscher2000: It has happened on a couple of websites now. Those same sites work using other browsers, and may work on the second or third try sometimes using FF. I'm not familar with this OCSP Stapling. How would I check to see it is disabled?

more options

Hi JoBlow, please see the thread I linked to for the steps to enable or disable stapling.

more options

jscher2000: I switched from enabled to disabled. loaded, but loaded sluggishly. I can't remember the other site. Know of any I can test with?

more options

JoBlow said

jscher2000: I switched from enabled to disabled. loaded, but loaded sluggishly.

Hmm, I think StartCom / StartSSL was the issuer in the other thread, too. Maybe they are having a problem, or maybe something is a bit odd on the server side: after it failed in Firefox, I tried the site in Chrome for comparison, and then a few minutes later the site loaded in Firefox just fine. ???

That server has other configuration issues which undermine its security:

I can't remember the other site. Know of any I can test with?

Not that I can think of. It has been a rare problem here.

more options

So is this a security issue I need be concerned with?

What would you advise?

more options

I think it depends on your paranoia level.

For random browsing, I wouldn't bother trying to solve it and just move on to another site.

If you use it often, I suggest alerting the site to the problem to see whether they can find a solution on their side.

If you disable stapling but leave OCSP checks enabled, then Firefox will validate the certificate directly with the issuer. However, this is a privacy leak because the issuer knows that someone using Firefox at your IP address is visiting that secure site. Unfortunately, there doesn't appear to be a perfect solution...

more options

Just an observation: I note the https site is not secure according to this analysis

And includes error message

OCSP ERROR: Request failed with HTTP status: 502 

This site uses OCSP stapling.

more options

Here is how I have it setup right now. If you could look and advise. Thanks. (uploaded .png of about:config OCSP settings

more options

Hi JoBlow, my understanding of those settings is that Firefox will not accept the OCSP verification from the web server and will instead check with the certificate issuer.