Cuireadh an snáithe seo sa chartlann. Cuir ceist nua má tá cabhair uait.
The OCSP server has no status for the certificate
Starting just today, whenever I try to access www.fanfiction.net, I'm getting this error message from FF:-
" Secure Connection Failed An error occurred during a connection to www.fanfiction.net. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert) "
I've already tried deleting the Cert8.db and Secmod.db, and uncheck both of OCSP option in Advance Settings. Neither works. The site can be accessed fine from any other browser so this is definitely Firefox issue.
Need advice on how to fix this ASAP.
the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.Read this answer in context 👍 1
All Replies (15)
hello, i can certainly replicate this issue. my guess is that the site is currently implementing measures against the recently published widespread vulnerability that allows webservers with a certain version of openssl running on them to be exploited (heartbleed.com) & is switching their certificate.
an advanced security feature in firefox is picking up this change as the site doesn't seem to be fully updated for this new certificate yet. you can temporarily work around the issue:
enter about:config into the firefox address bar (confirm the info message in case it shows up) & search for the preference named security.ssl.enable_ocsp_stapling. double-click it and change its value to false.
it is important however, that after a bit of time when the issue gets resolved by the site (maybe try again in 24 hours), you go back and switch the setting to "true" again!
IE8 shows the certificate was issued today before 11:00am, so very fresh.
I'm not sure why the OCSP server is sending a response that Firefox thinks is not valid but which IE8 finds acceptable. I can't find a good way to test that function independently.
Athraithe ag jscher2000 ar
hey jscher2000, the details of the stapling mechanism are described at https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.
I have the same problem - Tech support sites at NETGEAR.. " An error occurred during a connection to my.netgear.com. Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert) " Can I work around this?
Hi PlasticChevy, have you successfully accessed this site before in Firefox or was this your first visit?
I'm not getting the error on that site at the moment.
Are you updated to Firefox 29.0.1, in case this is a bug in Firefox 28?
Hi, Have used this site in the past with Firefox - previously about 4 months ago with FF. The site still works with US Internet Explorer -
Am running FF Ver 30. now.. Had the problem since V28, and 29 - was hoping it would get fixed.
The my.netgear.com site works for me with Firefox 29 on Linux, so this must be an issue on your side.
You can check the connection settings.
- Tools > Options > Advanced > Network : Connection > Settings
If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly.
See "Firefox connection settings":
This problem seems to have reoccurred with Firefox 31. Attempting to access www.fanfiction.net with Firefox 31 gives the error "Invalid OCSP signing certificate in OCSP response". Firefox 30 on the same machine does not, neither does any other browser, having tried Opera, Chrome, and IE, all the latest versions.
This was under windows 7. Using an old windows XP laptop, again, FF 30 works, FF 31 gives the error. Interestingly, so does the latest version of FF for Android on a tablet, so it's at least consistent!
It may well be a problem with the certificate on www.fanfiction.net, but it looks to me (not an expert by any means) to be at least plausible, and the way other browsers on different OS's all work is a bit odd.
Any suggestions gratefully received.
Athraithe ag jetboat64 ar
Hi jetboat64, I get the same message on https://www.fanfiction.net/. When I checked using an online service, there was no problem with the OCSP response: https://www.ssllabs.com/ssltest/analyze.html?d=fanfiction.net.
Firefox 31 has a new security component that is stricter, but I don't know how that affects the OCSP function or how best to investigate the problem from here.
Hi MonteChristo, LogMeIn redirects me to https://secure.logmein.com/. Does that work any better for you?
Interestingly, www.logmein.com didn't work when I tried it a couple of hours ago, with the above error, but it now does and redirects as you mention. www.fanfiction.net is still not working. Possibly there is something on the server side that needs changing and logmein are faster off the mark?
Still odd the way it broke with FF31, though.
That could be a problem with the usage of libPKIX in the Firefox 31 and later releases.
It is possible to disable this new feature by disabling libPKIX support, but this is not recommended for security and vulnerability reasons.
- about:config page: security.use_mozillapkix_verification = false
It is possible that the website will fix this issue shortly, so make sure to check regularly if this workaround is still required by resetting the pref and see if it works. You may have to reload and bypass the cache via Ctrl+F5.
You can contact the website and bring this article under their attention: "Behavior Changes" and "Things for CAs to Fix":
It seems fanfiction.net must have gotten their certificate problem fixed. I can suddenly load the site with no problems now.
I really hate intermittent problems!
BTW, turning off security.ssl.enable_ocsp_stapling worked, also. But I installed a clean version of 31.0 on a new laptop this afternoon, and the fanfiction site worked fine without my having to turn it off.
so I went back to the desktop machine and turned ocsp stapling back on, and it is working fine.
Thanks to whoever fixed this...