X
Tap here to go to the mobile version of the site.

Fóram Tacaíochta

Firefox randomly does not receive certificate from websites I run. SEC_ERROR_OCSP_MALFORMED_RESPONSE is the error.

Postáilte

Good Afternoon,

I run a few docker containers that I have a reverse proxy setup with "letsencrypt" on some subdomains I own. Randomly, FF (both mobile and desktop) refuses to load those pages and returns a "SEC_ERROR_OCSP_MALFORMED_RESPONSE" error. I'm also not able to pull up the certificate at all. FF will randomly work just perfect with these sites however.

Also, when FF is unable to open these sites, every other browser I tried is able to. Other browsers that worked, IE, Edge, Safari, Samsung Browser, Chrome, Safari on IOS.I already tried to start FF in safe mode, to no avail.

I was also able to use this website: " https://check-your-website.server-daten.de" to check the certificate status, and everything came back green.

    • Edit** I will add that I've deleted all the site data, gone through every single useful google result page as well. My system date and time is also correct, as is the server I run.

Any help is appreciated. Thank you!

Good Afternoon, I run a few docker containers that I have a reverse proxy setup with "letsencrypt" on some subdomains I own. Randomly, FF (both mobile and desktop) refuses to load those pages and returns a "SEC_ERROR_OCSP_MALFORMED_RESPONSE" error. I'm also not able to pull up the certificate at all. FF will randomly work just perfect with these sites however. Also, when FF is unable to open these sites, every other browser I tried is able to. Other browsers that worked, IE, Edge, Safari, Samsung Browser, Chrome, Safari on IOS.I already tried to start FF in safe mode, to no avail. I was also able to use this website: " https://check-your-website.server-daten.de" to check the certificate status, and everything came back green. **Edit** I will add that I've deleted all the site data, gone through every single useful google result page as well. My system date and time is also correct, as is the server I run. Any help is appreciated. Thank you!

Athraithe ag colt2 ar

Luaigh

Tuilleadh mionsonraí faoin chóras

Feidhmchlár

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Tuilleadh Eolais

FredMcD
  • Top 10 Contributor
4334 réiteach 60966 freagra
https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page
An bhfuil an freagra seo cabhrach?
Luaigh

Úinéir na ceiste

So, I think I have it figured out! In case anyone else comes across this post as lost as I was. I'll outline it below

I have an unraid server running several docker containers through a reverse proxy using subdomains. '

The behavior was that Firefox would pull the docker website randomly, but most of the time it would error out with the error listed in the title. All other browsers would work. Using FredMcD's second link I was able to go into Firefox's about:config and set "security.ssl.enable_ocsp_stapling" to false and it would work, but it made me feel less secure.

The actual fix, to fix the letsencrypt nginx reverse proxy was as follows. Go into your Unraid rootshare (a youtuber named spaceinvaderone has a two minute video on how to do this). Go to appdata -> letsencrypt -> nginx and open ssl.conf with a text editor.

Go down to this part in the text:

# OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=30s; # Docker DNS Server ' The line starting with "resolver" was set to something like "127.10.0.1" which doesn't actually resolve anything. I set it to "1.1.1.1" which is Cloudfares DNS, and then Firefox started loading the site just fine!

I still have no idea why it would work randomly, but it's fixed now. Thanks FredMcD for setting me on the right path.

Welp, everything above this line did not fix it. It just broke again :(

So, I think I have it figured out! In case anyone else comes across this post as lost as I was. I'll outline it below I have an unraid server running several docker containers through a reverse proxy using subdomains. ' ''The behavior was that Firefox would pull the docker website randomly, but most of the time it would error out with the error listed in the title. All other browsers would work. Using FredMcD's second link I was able to go into Firefox's about:config and set "security.ssl.enable_ocsp_stapling" to false and it would work, but it made me feel less secure. The actual fix, to fix the letsencrypt nginx reverse proxy was as follows. Go into your Unraid rootshare (a youtuber named spaceinvaderone has a two minute video on how to do this). Go to appdata -> letsencrypt -> nginx and open ssl.conf with a text editor. Go down to this part in the text: ''# OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=30s; # Docker DNS Server ' The line starting with "resolver" was set to something like "127.10.0.1" which doesn't actually resolve anything. I set it to "1.1.1.1" which is Cloudfares DNS, and then Firefox started loading the site just fine! ''I still have no idea why it would work randomly, but it's fixed now. Thanks FredMcD for setting me on the right path. '''''Welp, everything above this line did not fix it. It just broke again :('''''

Athraithe ag colt2 ar

An bhfuil an freagra seo cabhrach?
Luaigh

Úinéir na ceiste

FredMcD said

https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page

So I thought I had this fixed, but alas I am still getting the error. Gone through those links several times now, and the only solution is to go into about:config and turn off OCSP, which doesn't sound ideal.

Any other thoughts?

''FredMcD [[#answer-1280746|said]]'' <blockquote> https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page </blockquote> So I thought I had this fixed, but alas I am still getting the error. Gone through those links several times now, and the only solution is to go into about:config and turn off OCSP, which doesn't sound ideal. Any other thoughts?
An bhfuil an freagra seo cabhrach?
Luaigh
FredMcD
  • Top 10 Contributor
4334 réiteach 60966 freagra

Freagra Cabhrach

I called for more help.

I called for more help.
An bhfuil an freagra seo cabhrach? 1
Luaigh

Úinéir na ceiste

FredMcD said

I called for more help.

Ok, I appreciate that!

I've attached the certificate view from when it randomly works to this message.

''FredMcD [[#answer-1280789|said]]'' <blockquote> I called for more help. </blockquote> Ok, I appreciate that! I've attached the certificate view from when it randomly works to this message.
An bhfuil an freagra seo cabhrach?
Luaigh
cor-el
  • Top 10 Contributor
  • Moderator
17763 réiteach 160641 freagra

Freagra Cabhrach

See also: *https://www.digicert.com/help/ *https://www.digicert.com/ssl-support/nginx-enable-ocsp-stapling-on-server.htm *https://www.google.com/search?sa=N&num=100&q=ssl_stapling_verify *https://certificate.revocationcheck.com/
An bhfuil an freagra seo cabhrach? 1
Luaigh

Úinéir na ceiste

First URL gives me an error, but the last one gives me some more information. I will do some digging and report back., I really appreciate your response!

First URL gives me an error, but the last one gives me some more information. I will do some digging and report back., I really appreciate your response!
An bhfuil an freagra seo cabhrach?
Luaigh

Úinéir na ceiste

Ok, so I am unfortunately still stuck on this. I have one website that tells me that I have OCSP stapling enabled:

https://globalsign.ssllabs.com/analyze.html

But the digicert.com/help link says I don't. However, following it's SSL-support link I do have have the intermediate certificate attached.


I have been through all of those URL's and a few others several times now, and nothing seems to be working. Although at this point I believe the issue to be with either Letsencrypt or nginx. I'm going to reach out to their communities and see if they have anything to say. Thanks!

Ok, so I am unfortunately still stuck on this. I have one website that tells me that I have OCSP stapling enabled: https://globalsign.ssllabs.com/analyze.html But the digicert.com/help link says I don't. However, following it's SSL-support link I do have have the intermediate certificate attached. I have been through all of those URL's and a few others several times now, and nothing seems to be working. Although at this point I believe the issue to be with either Letsencrypt or nginx. I'm going to reach out to their communities and see if they have anything to say. Thanks!
An bhfuil an freagra seo cabhrach?
Luaigh
Cuir ceist

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.