Yep, just today have started getting the same message on YouTube and Google (Aust) sites only. Other secure sites work fine. YT and Google work fine with Safari 11.0.2.

MacBook Pro, macOS 10.13.2, FF 57.0.4.

I've checked add-ons and disabled both Adblock Plus and Ghostery just in case, but makes no difference.

David S. said

Yep, just today have started getting the same message on YouTube and Google (Aust) sites only. Other secure sites work fine. YT and Google work fine with Safari 11.0.2. MacBook Pro, macOS 10.13.2, FF 57.0.4. I've checked add-ons and disabled both Adblock Plus and Ghostery just in case, but makes no difference.

Yeah forgot to mention this, but everything works fine in Safari for me too. So could it be that the problem is on Google's end? Or perhaps it's an issue with the latest Firefox update?

The first part of the certificate chain looks OK, but there is something weird with the GeoTrust Global CA certificate (3). This certificate would normally be a builtin root certificate, but in your case I see this issuer: Equifax Secure Certificate Authority

• Options/Preferences -> Privacy & Security -> Certificates: View Certificates -> Authorities

Try to rename the cert8.db file (cert8.db.old) and delete cert_override.txt in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored. Note that Firefox 58 will use an SQLite database named cert9.db.

If that has helped to solve the problem then you can remove the renamed cert8.db.old file.

Firefox will store intermediate certificates that a server sends in the Certificate Manager for future use.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

• Help -> Troubleshooting Information -> Profile Directory:
  Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder
• http://kb.mozillazine.org/Profile_folder_-_Firefox

1)
Subject C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Issuer 	C=US, O=Google Inc, CN=Google Internet Authority G2

2)
Subject C=US, O=Google Inc, CN=Google Internet Authority G2
Issuer 	C=US, O=GeoTrust Inc., CN=GeoTrust Global CA

3)
Subject C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Issuer 	C=US, O=Equifax, OU=Equifax Secure Certificate Authority

Thanks for the tip. I renamed cert8.db, deleted the cert_override.txt and restarted Firefox, but it didn't work. Though I do get a different error message now:

An error occurred during a connection to www.google.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR

Update: Now if I uncheck "Query OCSP responder servers to confirm the current validity of certificates" in Preferences->Privacy & Security, Google and Youtube load just fine... (I'm not convinced it's a good long-term solution to leave this feature off, but I have to admit that I'm a bit out of my depth here.)

Does the Browser Console give more detail about what is happening?

I see these messages in the Browser Console:

• POST http://clients1.google.com/ocsp [HTTP/1.1 404 Not Found 33ms]

Are all OCSP prefs default on the about:config page?

security.OCSP.enabled 0: disabled 1: OCSP fetches are done for both EV and DV certs 2: OCSP fetches are done for EV certs only

Yeah, renaming cert8.db and deleting cert_override.txt didn't work for me either. And ditto with unchecking "Query OCSP responder servers to confirm the current validity of certificates" - that fixes it, for the moment anyway.

I checked on a relative's MacBook with FF 57.0.4 and they're not having the problem - can get to YouTube and Google fine. FF 57.0.4 on my Win 10 system works fine also.

No, all my OCSP settings are not default. See attached. Surely security.OCSP.url being blank is a problem? I sure didn't change this (or any of the others).

Try to rename/remove SiteSecurityServiceState.txt

Can you inspect the certificate chain or is that not possible?

Try to open the Add Security Exception page via the location/address bar to check the details.

• chrome://pippki/content/exceptionDialog.xul

cor-el said

Does the Browser Console give more detail about what is happening? I see these messages in the Browser Console:

• POST http://clients1.google.com/ocsp [HTTP/1.1 404 Not Found 33ms]

Are all OCSP prefs default on the about:config page? security.OCSP.enabled 0: disabled 1: OCSP fetches are done for both EV and DV certs 2: OCSP fetches are done for EV certs only

So what I get from the browser console when I try to load Google is just this:

Error: Could not establish connection. Receiving end does not exist.

As for the prefs in about:config, I see that everything related to OCSP is set to default, EXCEPT security.OCSP.require which is marked modified and at the moment set to true, but I assume this has something to do with that option I checked/unchecked earlier?

cor-el said

Can you inspect the certificate chain or is that not possible?

No, with that latest OCSP error I'm not given the option to examine the certificate chain.

Update: Getting rid of SiteSecurityServiceState.txt didn't help either.

Renaming SiteSecurityServiceState.txt did not help.

I cannot inspect cert chain.

chrome://pippki/content/exceptionDialog.xul and entering www.youtube.com gives output attached.

Same here, with Google. 2 additional screenshots from when I click "View..."

Damn. Now I'm suddenly getting the error on my Win 10 Firefox too! Was fine earlier but now I just woke it up again and tried Google and YouTube and I get the same error as on the Mac.

This has to be a problem with the OCSP server surely?

Yes, this looks like a problem with the Google OCSP server

• https://certificate.revocationcheck.com/www.google.com

This OCSP response was cached at Jan 20, 2018 7:15:23 AM http://clients1.google.com/ocsp (POST) Unexpected HTTP response: 404 Not Found

Ok, thanks for all your effort on this . Until they fix it we'll just have to switch off OCSP certificate confirmation. Sigh.

That kinda sucks... anyway, thanks for your time cor-el.

David S. said

Ok, thanks for all your effort on this . Until they fix it we'll just have to switch off OCSP certificate confirmation.

You don't have to disable OCSP!

• security.OCSP.enabled = 1 (default setting) requires Firefox to check the cert with the OCSP server to make sure it hasn't been revoked

• security.ocsp.require determines what happens if the OCSP server does not respond
  • false (default setting) treats the cert as not revoked and you can connect normally
  • true treats the cert as revoked and prevents you from connecting

I suppose your choice depends on how often you expect to encounter a server with a revoked certificate and a nonresponsive OCSP server. I think the risk is low, but then, I may not be as adventurous in my browsing as you are.

The problem seems to have been fixed by Google now anyway, but thanks for the info on security.ocsp.require. I've no idea how/when/why I set that to 'true', but I must have at some point.