X
Tocca qui per la versione per piattaforma mobile del sito.

Forum di supporto

Firefox randomly does not receive certificate from websites I run. SEC_ERROR_OCSP_MALFORMED_RESPONSE is the error.

Inserita

Good Afternoon,

I run a few docker containers that I have a reverse proxy setup with "letsencrypt" on some subdomains I own. Randomly, FF (both mobile and desktop) refuses to load those pages and returns a "SEC_ERROR_OCSP_MALFORMED_RESPONSE" error. I'm also not able to pull up the certificate at all. FF will randomly work just perfect with these sites however.

Also, when FF is unable to open these sites, every other browser I tried is able to. Other browsers that worked, IE, Edge, Safari, Samsung Browser, Chrome, Safari on IOS.I already tried to start FF in safe mode, to no avail.

I was also able to use this website: " https://check-your-website.server-daten.de" to check the certificate status, and everything came back green.

    • Edit** I will add that I've deleted all the site data, gone through every single useful google result page as well. My system date and time is also correct, as is the server I run.

Any help is appreciated. Thank you!

Good Afternoon, I run a few docker containers that I have a reverse proxy setup with "letsencrypt" on some subdomains I own. Randomly, FF (both mobile and desktop) refuses to load those pages and returns a "SEC_ERROR_OCSP_MALFORMED_RESPONSE" error. I'm also not able to pull up the certificate at all. FF will randomly work just perfect with these sites however. Also, when FF is unable to open these sites, every other browser I tried is able to. Other browsers that worked, IE, Edge, Safari, Samsung Browser, Chrome, Safari on IOS.I already tried to start FF in safe mode, to no avail. I was also able to use this website: " https://check-your-website.server-daten.de" to check the certificate status, and everything came back green. **Edit** I will add that I've deleted all the site data, gone through every single useful google result page as well. My system date and time is also correct, as is the server I run. Any help is appreciated. Thank you!

Modificato da colt2 il

Citazione

Dettagli aggiuntivi sul sistema

Applicazione

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Ulteriori informazioni

FredMcD
  • Top 10 Contributor
4344 soluzioni 61109 risposte
https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page
È stato utile questo messaggio?
Citazione

Utente che ha posto la domanda

So, I think I have it figured out! In case anyone else comes across this post as lost as I was. I'll outline it below

I have an unraid server running several docker containers through a reverse proxy using subdomains. '

The behavior was that Firefox would pull the docker website randomly, but most of the time it would error out with the error listed in the title. All other browsers would work. Using FredMcD's second link I was able to go into Firefox's about:config and set "security.ssl.enable_ocsp_stapling" to false and it would work, but it made me feel less secure.

The actual fix, to fix the letsencrypt nginx reverse proxy was as follows. Go into your Unraid rootshare (a youtuber named spaceinvaderone has a two minute video on how to do this). Go to appdata -> letsencrypt -> nginx and open ssl.conf with a text editor.

Go down to this part in the text:

# OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=30s; # Docker DNS Server ' The line starting with "resolver" was set to something like "127.10.0.1" which doesn't actually resolve anything. I set it to "1.1.1.1" which is Cloudfares DNS, and then Firefox started loading the site just fine!

I still have no idea why it would work randomly, but it's fixed now. Thanks FredMcD for setting me on the right path.

Welp, everything above this line did not fix it. It just broke again :(

So, I think I have it figured out! In case anyone else comes across this post as lost as I was. I'll outline it below I have an unraid server running several docker containers through a reverse proxy using subdomains. ' ''The behavior was that Firefox would pull the docker website randomly, but most of the time it would error out with the error listed in the title. All other browsers would work. Using FredMcD's second link I was able to go into Firefox's about:config and set "security.ssl.enable_ocsp_stapling" to false and it would work, but it made me feel less secure. The actual fix, to fix the letsencrypt nginx reverse proxy was as follows. Go into your Unraid rootshare (a youtuber named spaceinvaderone has a two minute video on how to do this). Go to appdata -> letsencrypt -> nginx and open ssl.conf with a text editor. Go down to this part in the text: ''# OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=30s; # Docker DNS Server ' The line starting with "resolver" was set to something like "127.10.0.1" which doesn't actually resolve anything. I set it to "1.1.1.1" which is Cloudfares DNS, and then Firefox started loading the site just fine! ''I still have no idea why it would work randomly, but it's fixed now. Thanks FredMcD for setting me on the right path. '''''Welp, everything above this line did not fix it. It just broke again :('''''

Modificato da colt2 il

È stato utile questo messaggio?
Citazione

Utente che ha posto la domanda

FredMcD said

https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page

So I thought I had this fixed, but alas I am still getting the error. Gone through those links several times now, and the only solution is to go into about:config and turn off OCSP, which doesn't sound ideal.

Any other thoughts?

''FredMcD [[#answer-1280746|said]]'' <blockquote> https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page </blockquote> So I thought I had this fixed, but alas I am still getting the error. Gone through those links several times now, and the only solution is to go into about:config and turn off OCSP, which doesn't sound ideal. Any other thoughts?
È stato utile questo messaggio?
Citazione
FredMcD
  • Top 10 Contributor
4344 soluzioni 61109 risposte

Risposta utile

I called for more help.

I called for more help.
È stato utile questo messaggio? 1
Citazione

Utente che ha posto la domanda

FredMcD said

I called for more help.

Ok, I appreciate that!

I've attached the certificate view from when it randomly works to this message.

''FredMcD [[#answer-1280789|said]]'' <blockquote> I called for more help. </blockquote> Ok, I appreciate that! I've attached the certificate view from when it randomly works to this message.
È stato utile questo messaggio?
Citazione
cor-el
  • Top 10 Contributor
  • Moderator
17777 soluzioni 160795 risposte

Risposta utile

See also: *https://www.digicert.com/help/ *https://www.digicert.com/ssl-support/nginx-enable-ocsp-stapling-on-server.htm *https://www.google.com/search?sa=N&num=100&q=ssl_stapling_verify *https://certificate.revocationcheck.com/
È stato utile questo messaggio? 1
Citazione

Utente che ha posto la domanda

First URL gives me an error, but the last one gives me some more information. I will do some digging and report back., I really appreciate your response!

First URL gives me an error, but the last one gives me some more information. I will do some digging and report back., I really appreciate your response!
È stato utile questo messaggio?
Citazione

Utente che ha posto la domanda

Ok, so I am unfortunately still stuck on this. I have one website that tells me that I have OCSP stapling enabled:

https://globalsign.ssllabs.com/analyze.html

But the digicert.com/help link says I don't. However, following it's SSL-support link I do have have the intermediate certificate attached.


I have been through all of those URL's and a few others several times now, and nothing seems to be working. Although at this point I believe the issue to be with either Letsencrypt or nginx. I'm going to reach out to their communities and see if they have anything to say. Thanks!

Ok, so I am unfortunately still stuck on this. I have one website that tells me that I have OCSP stapling enabled: https://globalsign.ssllabs.com/analyze.html But the digicert.com/help link says I don't. However, following it's SSL-support link I do have have the intermediate certificate attached. I have been through all of those URL's and a few others several times now, and nothing seems to be working. Although at this point I believe the issue to be with either Letsencrypt or nginx. I'm going to reach out to their communities and see if they have anything to say. Thanks!
È stato utile questo messaggio?
Citazione
Richiedi supporto

Bisogna accedere al proprio account per rispondere nelle discussioni. Se non si possiede ancora un account, inserire una nuova richiesta.