Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

website issue: 'ocsp response for cert missing' error code

  • 4 replies
  • 1 has this problem
  • 34 views
  • Last reply by Ludo

more options

Hi there,

My website sparticipant.dev.pivt.nl is having some issues on Firefox browsers (I'm seeing the issues with Firefox Version 76.0.1 (64-bits) on windows.

When I navigate to my website, I get the following message:

   Secure Connection Failed
   An error occurred during a connection to sparticipant.dev.pivt.nl. 
   The OCSP response does not include a status for the certificate being verified.
   Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING.


I checked my website's cert and looking at OCSP_RESPONSE_DATA, I think a response is sent. I tried with Chrome and that works well. What am I missing here?

Details below:

   $ openssl s_client -connect sparticipant.dev.pivt.nl:443 -status
   CONNECTED(00000005)
   depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
   verify return:1
   depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   verify return:1
   depth=0 CN = sparticipant.dev.pivt.nl
   verify return:1
   OCSP response: 
   ======================================
   OCSP Response Data:
       OCSP Response Status: successful (0x0)
       Response Type: Basic OCSP Response
       Version: 1 (0x0)
       Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
       Produced At: May 29 13:11:00 2020 GMT
       Responses:
       Certificate ID:
         Hash Algorithm: sha1
         Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
         Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
         Serial Number: 036F20B0259D13DB32A13163432445AB63B3
       Cert Status: good
       This Update: May 29 13:00:00 2020 GMT
       Next Update: Jun  5 13:00:00 2020 GMT
       Signature Algorithm: sha256WithRSAEncryption
            77:ac:d1:00:24:f2:3b:d9:7e:88:5e:1b:9e:9b:67:f4:69:23:
            5b:ad:27:b6:04:be:2a:f4:16:c4:e9:2f:37:aa:82:4e:ac:40:
            1f:29:9b:b6:4d:9d:2a:4c:50:91:34:3b:9e:de:da:1d:c3:40:
            59:52:8b:88:8b:38:f0:3a:de:13:ef:be:e7:52:34:a6:f4:b9:
            38:51:a5:07:97:3d:f0:73:6e:27:4c:02:f0:32:f8:e2:9a:51:
            61:d1:13:f7:4d:fd:4d:64:da:2f:64:26:e9:bc:77:59:7a:c6:
            8a:98:7d:cb:8b:8b:c1:fa:7d:cf:36:e0:cc:a1:ec:43:88:a0:
            65:05:01:19:b7:f9:c5:35:82:a2:aa:89:c3:cf:48:15:e2:b5:
            2c:73:db:e5:84:1c:7c:66:e2:f6:69:d0:2a:94:1c:b8:14:e6:
            42:14:37:eb:8e:05:bd:d8:d4:11:f2:37:b8:04:b1:3c:95:c1:
            f4:4a:24:d1:26:93:8d:61:14:7e:15:96:a3:9d:78:ef:36:23:
            44:6a:b8:1f:c2:4a:fa:cf:bb:e5:fb:4d:92:9a:ff:af:e8:b9:
            bd:ed:00:a5:5f:c1:b1:c9:45:f3:35:de:0a:06:99:ae:86:4c:
            82:61:5d:0c:4c:1e:f8:bc:9d:6b:b1:1d:3e:ae:06:14:d1:85:
            1b:0f:77:49
   ======================================
   ---
   Certificate chain
    0 s:CN = sparticipant.dev.pivt.nl
      i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
      i:O = Digital Signature Trust Co., CN = DST Root CA X3
   ---
   Server certificate
   -----BEGIN CERTIFICATE-----
   MIIFaTCCBFGgAwIBAgISA1nDVSw4hPqQn+90k0Mi5a5vMA0GCSqGSIb3DQEBCwUA
   MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
   ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA2MDExMTEwNThaFw0y
   MDA4MzAxMTEwNThaMCMxITAfBgNVBAMTGHNwYXJ0aWNpcGFudC5kZXYucGl2dC5u
   bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOg1ep3zPYtoJenFdaJ0
   GSVz4n8AUX4FoPd2MRlR+T82ujEMplSmJNdmomQGiwaCZ/MPTkz+NtPZ4trUmaIW
   n674NHh/YQDkusYLUZ/OrOxdfrYkKZAYc2zNYHJZapMPCxryEbMLpAei6niiSxsE
   jJ06gptrSA0bhqK6K5DaypzxrSeW1CzfeKdjtz7j5T2iNS/zp/pLL0woPDnn+znd
   hMbG+5J49QN9ES8KoGUwZg8VE7kGSeSn45VWNb6SPtfAp/gVX0+MoMmGfG8+Aj70
   EMFusMkb1dfrhpng8++n15f1zC6dXYpc2yUthhFcmVd7lWI1rpZKPi8Dqcp7R0EL
   FWcCAwEAAaOCAm4wggJqMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
   BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUIvyG9zUz2qYm
   Dl2cl4MQn6md4eswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI
   KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0
   c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0
   c2VuY3J5cHQub3JnLzAjBgNVHREEHDAaghhzcGFydGljaXBhbnQuZGV2LnBpdnQu
   bmwwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
   BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQC
   BIH2BIHzAPEAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXJv
   ysI3AAAEAwBHMEUCIQDE9hIDVXxgV4q+8SfF0houQGl9BVEADGDKtrCRdKLbkwIg
   MyBYVxtQePIEN3JBPaZwoFf/2F54MK6pQqA8wIm+3IIAdwCyHgXMi6LNiiBOh2b5
   K7mKJSBna9r6cOeySVMt74uQXgAAAXJvysIKAAAEAwBIMEYCIQCsXZ6Qm4s/RIgS
   qMJZ+OHoYu3VC32CwiEFcA1fye3YygIhAJxc1hi/lLIaQexU4y2dnyZcD8Raj4Us
   WIjK/iqPhTNXMA0GCSqGSIb3DQEBCwUAA4IBAQBvef37hVDd5gb2v9JtkvmKokLr
   1TgjlATI/Ik3vw36lt48GnFDHH4oI2bdZpYPPhpeIVGez6qwwW+dTqJkLksN93tm
   HqMrYZ5y+QjnlQd2g+L5Jpt4/IJ/KVmb9ilkXQmIthNJ8Uqn1dR3ghTE2nx1wMgA
   svPqwA7AG0quDrSByxegxctgRxY1kzMBtl1a24cxFJRF8nUZgD93VLdkwyD+RY8b
   4r0R17B2pItXRrznRVShiiLIHNxAcXFk/40N3VEjhNmynCCwRJbeamE3p3IW10tf
   FQhHXZcL1uh9e/P0ZRimB+n2GUVxnnaVJri8yic7KsQQNu283Kqn5BKFJ2Gq
   -----END CERTIFICATE-----
   subject=CN = sparticipant.dev.pivt.nl
   issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   ---
   No client certificate CA names sent
   Peer signing digest: SHA256
   Peer signature type: RSA-PSS
   Server Temp Key: X25519, 253 bits
   ---
   SSL handshake has read 3592 bytes and written 428 bytes
   Verification: OK
   ---
   New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   No ALPN negotiated
   SSL-Session:
       Protocol  : TLSv1.2
       Cipher    : ECDHE-RSA-AES128-GCM-SHA256
       Session-ID: AE047012B0EC95A71C8A50983574B93BCBBC4438B66AE7A79E4C9B4CF6804FD6
       Session-ID-ctx: 
       Master-Key: C5BD7B3E6DB5EA3F723B4BA5A87C94923D2112E27832503C34DD11CE58949B5A692E7E2523CA9BBF38DD6098853FB682
       PSK identity: None
       PSK identity hint: None
       SRP username: None
       Start Time: 1591174506
       Timeout   : 7200 (sec)
       Verify return code: 0 (ok)
       Extended master secret: yes
   ---
   closed


UPDATE June 5th 2020: Somehow the issue resolved itself, I do not understand why, nor what was wrong in the first place. Any ideas as to the cause shared are highly appreciated still

Modified by Ludo

All Replies (4)

more options

Please ignore   seekhelp's   post   -   it's a scam !

Helpful?

more options

Problem went away, and is now back at another domain name: https://portal.stag.pivt.nl/ nginx setup is the same, and on chrome this works, but yet on Firefox it does not. Help is appreciated.

Cheers,

Ludo

Helpful?

more options

the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.

Helpful?

more options

AMAN ARYAN said

the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.

I did not disable ocsp on the server then. After some the issue just went away, which I'm not comfortable with. This issue got back on other environments (clusters), when I updated my ingress settings with a new tls certificate as a result. For now I switched off ocsp stapling, as my team could not get their work done, but I now need to dig further on this. It is occurring more often now and I want to prevent our production setup from suffering the same (to me 'random') issues.

Any help or insight is very welcome, as I don't know what to do here. I did see some references to https://bugzilla.mozilla.org/show_bug.cgi?id=1489411 but that was 2 years ago and the bug was closed, so I'm assuming this si fixed in the latest firefox release, right? edit: hash algorithm is already sha1, so that bug does not apply to my case

Modified by Ludo

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.