X
點擊此處開啟此網站的行動版。

技術支援討論區

Firefox randomly does not receive certificate from websites I run. SEC_ERROR_OCSP_MALFORMED_RESPONSE is the error.

已張貼

Good Afternoon,

I run a few docker containers that I have a reverse proxy setup with "letsencrypt" on some subdomains I own. Randomly, FF (both mobile and desktop) refuses to load those pages and returns a "SEC_ERROR_OCSP_MALFORMED_RESPONSE" error. I'm also not able to pull up the certificate at all. FF will randomly work just perfect with these sites however.

Also, when FF is unable to open these sites, every other browser I tried is able to. Other browsers that worked, IE, Edge, Safari, Samsung Browser, Chrome, Safari on IOS.I already tried to start FF in safe mode, to no avail.

I was also able to use this website: " https://check-your-website.server-daten.de" to check the certificate status, and everything came back green.

    • Edit** I will add that I've deleted all the site data, gone through every single useful google result page as well. My system date and time is also correct, as is the server I run.

Any help is appreciated. Thank you!

Good Afternoon, I run a few docker containers that I have a reverse proxy setup with "letsencrypt" on some subdomains I own. Randomly, FF (both mobile and desktop) refuses to load those pages and returns a "SEC_ERROR_OCSP_MALFORMED_RESPONSE" error. I'm also not able to pull up the certificate at all. FF will randomly work just perfect with these sites however. Also, when FF is unable to open these sites, every other browser I tried is able to. Other browsers that worked, IE, Edge, Safari, Samsung Browser, Chrome, Safari on IOS.I already tried to start FF in safe mode, to no avail. I was also able to use this website: " https://check-your-website.server-daten.de" to check the certificate status, and everything came back green. **Edit** I will add that I've deleted all the site data, gone through every single useful google result page as well. My system date and time is also correct, as is the server I run. Any help is appreciated. Thank you!

由 colt2 於 修改

引用

額外的系統細節

應用程式

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

更多資訊

FredMcD
  • Top 10 Contributor
4346 個解決方法 61114 個答案
https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page
這篇文章有幫助嗎?
引用

提出問題者

So, I think I have it figured out! In case anyone else comes across this post as lost as I was. I'll outline it below

I have an unraid server running several docker containers through a reverse proxy using subdomains. '

The behavior was that Firefox would pull the docker website randomly, but most of the time it would error out with the error listed in the title. All other browsers would work. Using FredMcD's second link I was able to go into Firefox's about:config and set "security.ssl.enable_ocsp_stapling" to false and it would work, but it made me feel less secure.

The actual fix, to fix the letsencrypt nginx reverse proxy was as follows. Go into your Unraid rootshare (a youtuber named spaceinvaderone has a two minute video on how to do this). Go to appdata -> letsencrypt -> nginx and open ssl.conf with a text editor.

Go down to this part in the text:

# OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=30s; # Docker DNS Server ' The line starting with "resolver" was set to something like "127.10.0.1" which doesn't actually resolve anything. I set it to "1.1.1.1" which is Cloudfares DNS, and then Firefox started loading the site just fine!

I still have no idea why it would work randomly, but it's fixed now. Thanks FredMcD for setting me on the right path.

Welp, everything above this line did not fix it. It just broke again :(

So, I think I have it figured out! In case anyone else comes across this post as lost as I was. I'll outline it below I have an unraid server running several docker containers through a reverse proxy using subdomains. ' ''The behavior was that Firefox would pull the docker website randomly, but most of the time it would error out with the error listed in the title. All other browsers would work. Using FredMcD's second link I was able to go into Firefox's about:config and set "security.ssl.enable_ocsp_stapling" to false and it would work, but it made me feel less secure. The actual fix, to fix the letsencrypt nginx reverse proxy was as follows. Go into your Unraid rootshare (a youtuber named spaceinvaderone has a two minute video on how to do this). Go to appdata -> letsencrypt -> nginx and open ssl.conf with a text editor. Go down to this part in the text: ''# OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=30s; # Docker DNS Server ' The line starting with "resolver" was set to something like "127.10.0.1" which doesn't actually resolve anything. I set it to "1.1.1.1" which is Cloudfares DNS, and then Firefox started loading the site just fine! ''I still have no idea why it would work randomly, but it's fixed now. Thanks FredMcD for setting me on the right path. '''''Welp, everything above this line did not fix it. It just broke again :('''''

由 colt2 於 修改

這篇文章有幫助嗎?
引用

提出問題者

FredMcD said

https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page

So I thought I had this fixed, but alas I am still getting the error. Gone through those links several times now, and the only solution is to go into about:config and turn off OCSP, which doesn't sound ideal.

Any other thoughts?

''FredMcD [[#answer-1280746|said]]'' <blockquote> https://www.bing.com/search?q=SEC_ERROR_OCSP_MALFORMED_RESPONSE https://superuser.com/questions/755755/sec-error-ocsp-server-error-when-trying-to-open-a-https-page </blockquote> So I thought I had this fixed, but alas I am still getting the error. Gone through those links several times now, and the only solution is to go into about:config and turn off OCSP, which doesn't sound ideal. Any other thoughts?
這篇文章有幫助嗎?
引用
FredMcD
  • Top 10 Contributor
4346 個解決方法 61114 個答案

有幫助的回覆

I called for more help.

I called for more help.
這篇文章有幫助嗎? 1
引用

提出問題者

FredMcD said

I called for more help.

Ok, I appreciate that!

I've attached the certificate view from when it randomly works to this message.

''FredMcD [[#answer-1280789|said]]'' <blockquote> I called for more help. </blockquote> Ok, I appreciate that! I've attached the certificate view from when it randomly works to this message.
這篇文章有幫助嗎?
引用
cor-el
  • Top 10 Contributor
  • Moderator
17777 個解決方法 160812 個答案

有幫助的回覆

See also: *https://www.digicert.com/help/ *https://www.digicert.com/ssl-support/nginx-enable-ocsp-stapling-on-server.htm *https://www.google.com/search?sa=N&num=100&q=ssl_stapling_verify *https://certificate.revocationcheck.com/
這篇文章有幫助嗎? 1
引用

提出問題者

First URL gives me an error, but the last one gives me some more information. I will do some digging and report back., I really appreciate your response!

First URL gives me an error, but the last one gives me some more information. I will do some digging and report back., I really appreciate your response!
這篇文章有幫助嗎?
引用

提出問題者

Ok, so I am unfortunately still stuck on this. I have one website that tells me that I have OCSP stapling enabled:

https://globalsign.ssllabs.com/analyze.html

But the digicert.com/help link says I don't. However, following it's SSL-support link I do have have the intermediate certificate attached.


I have been through all of those URL's and a few others several times now, and nothing seems to be working. Although at this point I believe the issue to be with either Letsencrypt or nginx. I'm going to reach out to their communities and see if they have anything to say. Thanks!

Ok, so I am unfortunately still stuck on this. I have one website that tells me that I have OCSP stapling enabled: https://globalsign.ssllabs.com/analyze.html But the digicert.com/help link says I don't. However, following it's SSL-support link I do have have the intermediate certificate attached. I have been through all of those URL's and a few others several times now, and nothing seems to be working. Although at this point I believe the issue to be with either Letsencrypt or nginx. I'm going to reach out to their communities and see if they have anything to say. Thanks!
這篇文章有幫助嗎?
引用
問個問題

如果您還沒有帳號,您必須先 登入您的帳號 來回覆文章。請 開始一個新問題