X
Tik hier voor de mobiele versie van de website.

Ondersteuningsforum

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

The OCSP server has no status for the certificate

Geplaatst

Starting just today, whenever I try to access www.fanfiction.net, I'm getting this error message from FF:-

" Secure Connection Failed An error occurred during a connection to www.fanfiction.net. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert) "

I've already tried deleting the Cert8.db and Secmod.db, and uncheck both of OCSP option in Advance Settings. Neither works. The site can be accessed fine from any other browser so this is definitely Firefox issue.

Need advice on how to fix this ASAP.

Starting just today, whenever I try to access www.fanfiction.net, I'm getting this error message from FF:- " Secure Connection Failed An error occurred during a connection to www.fanfiction.net. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert) " I've already tried deleting the Cert8.db and Secmod.db, and uncheck both of OCSP option in Advance Settings. Neither works. The site can be accessed fine from any other browser so this is definitely Firefox issue. Need advice on how to fix this ASAP.

Gekozen oplossing

the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.

Dit antwoord in context lezen 1

Aanvullende systeemdetails

Geïnstalleerde plug-ins

  • Google Update
  • Version 5.2.4.18058
  • Shockwave Flash 12.0 r0
  • Nexon Game Controller
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • 5.1.30214.0
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.06
  • Unity Player 4.3.2f1
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Adobe Shockwave for Director Netscape plug-in, version 12.0.3.133
  • Adobe PDF Plug-In For Firefox and Netscape "9.5.5"
  • Next Generation Java Plug-in 10.5.1 for Mozilla browsers
  • Spoon Plugin 3.33
  • Yahoo Application State Plugin version 1.0.0.7
  • Windows Activation Technologies Plugin for Mozilla
  • Plug-in for detecting Nero Kwik Media.
  • NPWLPG
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers

Toepassing

  • Firefox 28.0
  • Useragent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0
  • Ondersteunings-URL: https://support.mozilla.org/1/firefox/28.0/WINNT/en-GB/

Extensies

  • Gmail Watcher 1.61 (gmailwatcher@sonthakit)
  • LastPass 2.5.0 (support@lastpass.com)
  • Lightshot (screenshot tool) 3.1.0 ({394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B})
  • Mozilla Archive Format 2.0.9 ({7f57cf46-4467-4c2d-adfa-0cba7c507e54})
  • NoScript 2.6.6.2 ({73a6fe31-595d-460b-a920-fcc0f8843232})
  • Omnibar 0.7.19.20130418 (omnibar@ajitk.com)
  • Session Manager 0.8.0.6 ({1280606b-2510-4fe0-97ef-9b5a22eafe30})
  • Stylish 1.3.2 ({46551EC9-40F0-4e47-8E18-8E5CF550CFB8})
  • Tab Wheel Scroll 20110909 (tabscroll@mthamil)
  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • Xmarks 4.2.1 (foxmarks@kei.com)
  • Awesome screenshot: Capture and Annotate 2.4.1 (jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack) (Inactief)
  • Download Statusbar 0.9.10 ({D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}) (Inactief)
  • Hotspot Shield Extension 3.19 (afext@anchorfree.com) (Inactief)
  • Readability 2.4 (readability@readability.com) (Inactief)

Javascript

  • incrementalGCEnabled: True

Grafisch

  • adapterDescription: NVIDIA GeForce GT 330M
  • adapterDescription2:
  • adapterDeviceID: 0x0a29
  • adapterDeviceID2:
  • adapterDrivers: nvd3dum nvwgf2um,nvwgf2um
  • adapterDrivers2:
  • adapterRAM: 1024
  • adapterRAM2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • clearTypeParameters: Gamma: 2200 Pixel Structure: R ClearType Level: 100 Enhanced Contrast: 200
  • direct2DEnabled: False
  • direct2DEnabledMessage: [u'']
  • directWriteEnabled: False
  • directWriteVersion: 6.2.9200.16571
  • driverDate: 8-29-2013
  • driverDate2:
  • driverVersion: 9.18.13.2702
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'skia', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'cairo', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 0
  • numAcceleratedWindowsMessage: [u'']
  • numTotalWindows: 1
  • webglRenderer: Google Inc. -- ANGLE (NVIDIA GeForce GT 330M Direct3D9Ex vs_3_0 ps_3_0)
  • windowLayerManagerRemote: False
  • windowLayerManagerType: Basic

Aangepaste voorkeuren

  • accessibility.typeaheadfind.flashBar: 0
  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.places.smartBookmarksVersion: 6
  • browser.search.useDBForOrder: True
  • browser.sessionstore.upgradeBackup.latestBuildID: 20140314220517
  • browser.startup.homepage: about:home
  • browser.startup.homepage_override.buildID: 20140314220517
  • browser.startup.homepage_override.mstone: 28.0
  • dom.max_chrome_script_run_time: 40
  • dom.max_script_run_time: 40
  • dom.mozApps.used: True
  • dom.w3c_touch_events.expose: False
  • extensions.lastAppVersion: 28.0
  • font.internaluseonly.changed: False
  • font.language.group: th
  • general.autoScroll: False
  • gfx.direct2d.disabled: True
  • layers.acceleration.disabled: True
  • network.cookie.cookieBehavior: 1
  • network.cookie.prefsMigrated: True
  • places.database.lastMaintenance: 1397070513
  • places.history.expiration.transient_current_max_pages: 90297
  • places.history.expiration.transient_optimal_database_size: 144475094
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • plugin.importedState: True
  • plugin.state.npystate: 1
  • privacy.sanitize.migrateFx3Prefs: True
  • security.disable_button.openDeviceManager: False
  • security.OCSP.enabled: 0
  • security.warn_viewing_mixed: False
  • storage.vacuum.last.index: 1
  • storage.vacuum.last.places.sqlite: 1396084974

Div

  • User JS: nee
  • Toegankelijkheid: nee
philipp
  • Top 25 Contributor
  • Moderator
5339 oplossingen 23578 antwoorden

Nuttig antwoord

hello, i can certainly replicate this issue. my guess is that the site is currently implementing measures against the recently published widespread vulnerability that allows webservers with a certain version of openssl running on them to be exploited (heartbleed.com) & is switching their certificate.

an advanced security feature in firefox is picking up this change as the site doesn't seem to be fully updated for this new certificate yet. you can temporarily work around the issue:
enter about:config into the firefox address bar (confirm the info message in case it shows up) & search for the preference named security.ssl.enable_ocsp_stapling. double-click it and change its value to false.
it is important however, that after a bit of time when the issue gets resolved by the site (maybe try again in 24 hours), you go back and switch the setting to "true" again!

hello, i can certainly replicate this issue. my guess is that the site is currently implementing measures against the recently published widespread vulnerability that allows webservers with a certain version of openssl running on them to be exploited (heartbleed.com) & is switching their certificate. an advanced security feature in firefox is picking up this change as the site doesn't seem to be fully updated for this new certificate yet. you can temporarily work around the issue: <br>enter '''about:config''' into the firefox address bar (confirm the info message in case it shows up) & search for the preference named '''security.ssl.enable_ocsp_stapling'''. double-click it and change its value to '''false'''. <br>it is important however, that after a bit of time when the issue gets resolved by the site (maybe try again in 24 hours), you go back and switch the setting to "true" again!
jscher2000
  • Top 10 Contributor
8872 oplossingen 72576 antwoorden

IE8 shows the certificate was issued today before 11:00am, so very fresh.

I'm not sure why the OCSP server is sending a response that Firefox thinks is not valid but which IE8 finds acceptable. I can't find a good way to test that function independently.

IE8 shows the certificate was issued today before 11:00am, so very fresh. I'm not sure why the OCSP server is sending a response that Firefox thinks is not valid but which IE8 finds acceptable. I can't find a good way to test that function independently.

Bewerkt door jscher2000 op

philipp
  • Top 25 Contributor
  • Moderator
5339 oplossingen 23578 antwoorden

hey jscher2000, the details of the stapling mechanism are described at https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/

hey jscher2000, the details of the stapling mechanism are described at https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
philipp
  • Top 25 Contributor
  • Moderator
5339 oplossingen 23578 antwoorden

Gekozen oplossing

the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.

the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.
PlasticChevy 0 oplossingen 4 antwoorden

I have the same problem - Tech support sites at NETGEAR.. " An error occurred during a connection to my.netgear.com. Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert) " Can I work around this?

I have the same problem - Tech support sites at NETGEAR.. " An error occurred during a connection to my.netgear.com. Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert) " Can I work around this?
jscher2000
  • Top 10 Contributor
8872 oplossingen 72576 antwoorden

Hi PlasticChevy, have you successfully accessed this site before in Firefox or was this your first visit?

I'm not getting the error on that site at the moment.

Are you updated to Firefox 29.0.1, in case this is a bug in Firefox 28?

Hi PlasticChevy, have you successfully accessed this site before in Firefox or was this your first visit? I'm not getting the error on that site at the moment. Are you updated to Firefox 29.0.1, in case this is a bug in Firefox 28?
PlasticChevy 0 oplossingen 4 antwoorden

Hi, Have used this site in the past with Firefox - previously about 4 months ago with FF. The site still works with US Internet Explorer -

Am running FF Ver 30. now.. Had the problem since V28, and 29 - was hoping it would get fixed.

Hi, Have used this site in the past with Firefox - previously about 4 months ago with FF. The site still works with US Internet Explorer - Am running FF Ver 30. now.. Had the problem since V28, and 29 - was hoping it would get fixed.
cor-el
  • Top 10 Contributor
  • Moderator
17757 oplossingen 160593 antwoorden

The my.netgear.com site works for me with Firefox 29 on Linux, so this must be an issue on your side.

The Live Http Headers extension shows some requests to evsecure-ocsp.thawte.com and to ocsp.thawte.com

You can check the connection settings.

If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly.

See "Firefox connection settings":

The my.netgear.com site works for me with Firefox 29 on Linux, so this must be an issue on your side. The Live Http Headers extension shows some requests to evsecure-ocsp.thawte.com and to ocsp.thawte.com *https://addons.mozilla.org/firefox/addon/live-http-headers/ You can check the connection settings. *Tools > Options > Advanced > Network : Connection > Settings *https://support.mozilla.org/kb/Options+window+-+Advanced+panel If you do not need to use a proxy to connect to internet then try to select "No Proxy" if "Use the system proxy settings" or one of the others do not work properly. See "Firefox connection settings": *https://support.mozilla.org/kb/Firefox+cannot+load+websites+but+other+programs+can
jetboat64 0 oplossingen 2 antwoorden

Nuttig antwoord

This problem seems to have reoccurred with Firefox 31. Attempting to access www.fanfiction.net with Firefox 31 gives the error "Invalid OCSP signing certificate in OCSP response". Firefox 30 on the same machine does not, neither does any other browser, having tried Opera, Chrome, and IE, all the latest versions.

This was under windows 7. Using an old windows XP laptop, again, FF 30 works, FF 31 gives the error. Interestingly, so does the latest version of FF for Android on a tablet, so it's at least consistent!

It may well be a problem with the certificate on www.fanfiction.net, but it looks to me (not an expert by any means) to be at least plausible, and the way other browsers on different OS's all work is a bit odd.

Any suggestions gratefully received.

This problem seems to have reoccurred with Firefox 31. Attempting to access www.fanfiction.net with Firefox 31 gives the error "Invalid OCSP signing certificate in OCSP response". Firefox 30 on the same machine does not, neither does any other browser, having tried Opera, Chrome, and IE, all the latest versions. This was under windows 7. Using an old windows XP laptop, again, FF 30 works, FF 31 gives the error. Interestingly, so does the latest version of FF for Android on a tablet, so it's at least consistent! It may well be a problem with the certificate on www.fanfiction.net, but it looks to me (not an expert by any means) to be at least plausible, and the way other browsers on different OS's all work is a bit odd. Any suggestions gratefully received.

Bewerkt door jetboat64 op

MonteChristo 0 oplossingen 2 antwoorden

www.logmein.com has the same problem under FF 31.

www.logmein.com has the same problem under FF 31.
jscher2000
  • Top 10 Contributor
8872 oplossingen 72576 antwoorden

Hi jetboat64, I get the same message on https://www.fanfiction.net/. When I checked using an online service, there was no problem with the OCSP response: https://www.ssllabs.com/ssltest/analyze.html?d=fanfiction.net.

Firefox 31 has a new security component that is stricter, but I don't know how that affects the OCSP function or how best to investigate the problem from here.

Hi MonteChristo, LogMeIn redirects me to https://secure.logmein.com/. Does that work any better for you?

Hi jetboat64, I get the same message on [https://www.fanfiction.net/]. When I checked using an online service, there was no problem with the OCSP response: [https://www.ssllabs.com/ssltest/analyze.html?d=fanfiction.net]. Firefox 31 has a new security component that is stricter, but I don't know how that affects the OCSP function or how best to investigate the problem from here. Hi MonteChristo, LogMeIn redirects me to [https://secure.logmein.com/]. Does that work any better for you?
jetboat64 0 oplossingen 2 antwoorden

Interestingly, www.logmein.com didn't work when I tried it a couple of hours ago, with the above error, but it now does and redirects as you mention. www.fanfiction.net is still not working. Possibly there is something on the server side that needs changing and logmein are faster off the mark?

Still odd the way it broke with FF31, though.

Interestingly, www.logmein.com didn't work when I tried it a couple of hours ago, with the above error, but it now does and redirects as you mention. www.fanfiction.net is still not working. Possibly there is something on the server side that needs changing and logmein are faster off the mark? Still odd the way it broke with FF31, though.
cor-el
  • Top 10 Contributor
  • Moderator
17757 oplossingen 160593 antwoorden

That could be a problem with the usage of libPKIX in the Firefox 31 and later releases.

It is possible to disable this new feature by disabling libPKIX support, but this is not recommended for security and vulnerability reasons.

  • about:config page: security.use_mozillapkix_verification = false

It is possible that the website will fix this issue shortly, so make sure to check regularly if this workaround is still required by resetting the pref and see if it works. You may have to reload and bypass the cache via Ctrl+F5.

You can contact the website and bring this article under their attention: "Behavior Changes" and "Things for CAs to Fix":

That could be a problem with the usage of libPKIX in the Firefox 31 and later releases. * https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ It is possible to disable this new feature by disabling libPKIX support, but this is not recommended for security and vulnerability reasons. *<b>about:config</b> page: security.use_mozillapkix_verification = false It is possible that the website will fix this issue shortly, so make sure to check regularly if this workaround is still required by resetting the pref and see if it works. You may have to reload and bypass the cache via Ctrl+F5. You can contact the website and bring this article under their attention: "Behavior Changes" and "Things for CAs to Fix": * https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing
grrlgeek72 0 oplossingen 1 antwoorden

It seems fanfiction.net must have gotten their certificate problem fixed. I can suddenly load the site with no problems now.

I really hate intermittent problems!

BTW, turning off security.ssl.enable_ocsp_stapling worked, also. But I installed a clean version of 31.0 on a new laptop this afternoon, and the fanfiction site worked fine without my having to turn it off.

so I went back to the desktop machine and turned ocsp stapling back on, and it is working fine.

Thanks to whoever fixed this...

It seems fanfiction.net must have gotten their certificate problem fixed. I can suddenly load the site with no problems now. I really hate intermittent problems! BTW, turning off security.ssl.enable_ocsp_stapling worked, also. But I installed a clean version of 31.0 on a new laptop this afternoon, and the fanfiction site worked fine without my having to turn it off. so I went back to the desktop machine and turned ocsp stapling back on, and it is working fine. Thanks to whoever fixed this...
MonteChristo 0 oplossingen 2 antwoorden

I can confirm that www.LogMeIn.com is again operational in FF 31.

I can confirm that www.LogMeIn.com is again operational in FF 31.