website issue: 'ocsp response for cert missing' error code
Hi there,
My website sparticipant.dev.pivt.nl is having some issues on Firefox browsers (I'm seeing the issues with Firefox Version 76.0.1 (64-bits) on windows.
When I navigate to my website, I get the following message:
Secure Connection Failed
An error occurred during a connection to sparticipant.dev.pivt.nl. The OCSP response does not include a status for the certificate being verified.
Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING.
I checked my website's cert and looking at OCSP_RESPONSE_DATA, I think a response is sent. I tried with Chrome and that works well.
What am I missing here?
Details below:
$ openssl s_client -connect sparticipant.dev.pivt.nl:443 -status CONNECTED(00000005) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = sparticipant.dev.pivt.nl verify return:1 OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: May 29 13:11:00 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 036F20B0259D13DB32A13163432445AB63B3 Cert Status: good This Update: May 29 13:00:00 2020 GMT Next Update: Jun 5 13:00:00 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
77:ac:d1:00:24:f2:3b:d9:7e:88:5e:1b:9e:9b:67:f4:69:23:
5b:ad:27:b6:04:be:2a:f4:16:c4:e9:2f:37:aa:82:4e:ac:40:
1f:29:9b:b6:4d:9d:2a:4c:50:91:34:3b:9e:de:da:1d:c3:40:
59:52:8b:88:8b:38:f0:3a:de:13:ef:be:e7:52:34:a6:f4:b9:
38:51:a5:07:97:3d:f0:73:6e:27:4c:02:f0:32:f8:e2:9a:51:
61:d1:13:f7:4d:fd:4d:64:da:2f:64:26:e9:bc:77:59:7a:c6:
8a:98:7d:cb:8b:8b:c1:fa:7d:cf:36:e0:cc:a1:ec:43:88:a0:
65:05:01:19:b7:f9:c5:35:82:a2:aa:89:c3:cf:48:15:e2:b5:
2c:73:db:e5:84:1c:7c:66:e2:f6:69:d0:2a:94:1c:b8:14:e6:
42:14:37:eb:8e:05:bd:d8:d4:11:f2:37:b8:04:b1:3c:95:c1:
f4:4a:24:d1:26:93:8d:61:14:7e:15:96:a3:9d:78:ef:36:23:
44:6a:b8:1f:c2:4a:fa:cf:bb:e5:fb:4d:92:9a:ff:af:e8:b9:
bd:ed:00:a5:5f:c1:b1:c9:45:f3:35:de:0a:06:99:ae:86:4c:
82:61:5d:0c:4c:1e:f8:bc:9d:6b:b1:1d:3e:ae:06:14:d1:85:
1b:0f:77:49
======================================
---
Certificate chain
0 s:CN = sparticipant.dev.pivt.nl
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgISA1nDVSw4hPqQn+90k0Mi5a5vMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA2MDExMTEwNThaFw0y
MDA4MzAxMTEwNThaMCMxITAfBgNVBAMTGHNwYXJ0aWNpcGFudC5kZXYucGl2dC5u
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOg1ep3zPYtoJenFdaJ0
GSVz4n8AUX4FoPd2MRlR+T82ujEMplSmJNdmomQGiwaCZ/MPTkz+NtPZ4trUmaIW
n674NHh/YQDkusYLUZ/OrOxdfrYkKZAYc2zNYHJZapMPCxryEbMLpAei6niiSxsE
jJ06gptrSA0bhqK6K5DaypzxrSeW1CzfeKdjtz7j5T2iNS/zp/pLL0woPDnn+znd
hMbG+5J49QN9ES8KoGUwZg8VE7kGSeSn45VWNb6SPtfAp/gVX0+MoMmGfG8+Aj70
EMFusMkb1dfrhpng8++n15f1zC6dXYpc2yUthhFcmVd7lWI1rpZKPi8Dqcp7R0EL
FWcCAwEAAaOCAm4wggJqMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUIvyG9zUz2qYm
Dl2cl4MQn6md4eswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI
KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0
c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0
c2VuY3J5cHQub3JnLzAjBgNVHREEHDAaghhzcGFydGljaXBhbnQuZGV2LnBpdnQu
bmwwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQC
BIH2BIHzAPEAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXJv
ysI3AAAEAwBHMEUCIQDE9hIDVXxgV4q+8SfF0houQGl9BVEADGDKtrCRdKLbkwIg
MyBYVxtQePIEN3JBPaZwoFf/2F54MK6pQqA8wIm+3IIAdwCyHgXMi6LNiiBOh2b5
K7mKJSBna9r6cOeySVMt74uQXgAAAXJvysIKAAAEAwBIMEYCIQCsXZ6Qm4s/RIgS
qMJZ+OHoYu3VC32CwiEFcA1fye3YygIhAJxc1hi/lLIaQexU4y2dnyZcD8Raj4Us
WIjK/iqPhTNXMA0GCSqGSIb3DQEBCwUAA4IBAQBvef37hVDd5gb2v9JtkvmKokLr
1TgjlATI/Ik3vw36lt48GnFDHH4oI2bdZpYPPhpeIVGez6qwwW+dTqJkLksN93tm
HqMrYZ5y+QjnlQd2g+L5Jpt4/IJ/KVmb9ilkXQmIthNJ8Uqn1dR3ghTE2nx1wMgA
svPqwA7AG0quDrSByxegxctgRxY1kzMBtl1a24cxFJRF8nUZgD93VLdkwyD+RY8b
4r0R17B2pItXRrznRVShiiLIHNxAcXFk/40N3VEjhNmynCCwRJbeamE3p3IW10tf
FQhHXZcL1uh9e/P0ZRimB+n2GUVxnnaVJri8yic7KsQQNu283Kqn5BKFJ2Gq
-----END CERTIFICATE-----
subject=CN = sparticipant.dev.pivt.nl
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3592 bytes and written 428 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: AE047012B0EC95A71C8A50983574B93BCBBC4438B66AE7A79E4C9B4CF6804FD6
Session-ID-ctx:
Master-Key: C5BD7B3E6DB5EA3F723B4BA5A87C94923D2112E27832503C34DD11CE58949B5A692E7E2523CA9BBF38DD6098853FB682
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1591174506
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
UPDATE June 5th 2020:
Somehow the issue resolved itself, I do not understand why, nor what was wrong in the first place. Any ideas as to the cause shared are highly appreciated still
Hi there,
My website '''sparticipant.dev.pivt.nl''' is having some issues on Firefox browsers (I'm seeing the issues with Firefox Version 76.0.1 (64-bits) on windows.
When I navigate to my website, I get the following message:
Secure Connection Failed
An error occurred during a connection to sparticipant.dev.pivt.nl.
The OCSP response does not include a status for the certificate being verified.
Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING.
I checked my website's cert and looking at OCSP_RESPONSE_DATA, I think a response is sent. I tried with Chrome and that works well.
What am I missing here?
Details below:
$ openssl s_client -connect sparticipant.dev.pivt.nl:443 -status
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = sparticipant.dev.pivt.nl
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: May 29 13:11:00 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 036F20B0259D13DB32A13163432445AB63B3
Cert Status: good
This Update: May 29 13:00:00 2020 GMT
Next Update: Jun 5 13:00:00 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
77:ac:d1:00:24:f2:3b:d9:7e:88:5e:1b:9e:9b:67:f4:69:23:
5b:ad:27:b6:04:be:2a:f4:16:c4:e9:2f:37:aa:82:4e:ac:40:
1f:29:9b:b6:4d:9d:2a:4c:50:91:34:3b:9e:de:da:1d:c3:40:
59:52:8b:88:8b:38:f0:3a:de:13:ef:be:e7:52:34:a6:f4:b9:
38:51:a5:07:97:3d:f0:73:6e:27:4c:02:f0:32:f8:e2:9a:51:
61:d1:13:f7:4d:fd:4d:64:da:2f:64:26:e9:bc:77:59:7a:c6:
8a:98:7d:cb:8b:8b:c1:fa:7d:cf:36:e0:cc:a1:ec:43:88:a0:
65:05:01:19:b7:f9:c5:35:82:a2:aa:89:c3:cf:48:15:e2:b5:
2c:73:db:e5:84:1c:7c:66:e2:f6:69:d0:2a:94:1c:b8:14:e6:
42:14:37:eb:8e:05:bd:d8:d4:11:f2:37:b8:04:b1:3c:95:c1:
f4:4a:24:d1:26:93:8d:61:14:7e:15:96:a3:9d:78:ef:36:23:
44:6a:b8:1f:c2:4a:fa:cf:bb:e5:fb:4d:92:9a:ff:af:e8:b9:
bd:ed:00:a5:5f:c1:b1:c9:45:f3:35:de:0a:06:99:ae:86:4c:
82:61:5d:0c:4c:1e:f8:bc:9d:6b:b1:1d:3e:ae:06:14:d1:85:
1b:0f:77:49
======================================
---
Certificate chain
0 s:CN = sparticipant.dev.pivt.nl
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgISA1nDVSw4hPqQn+90k0Mi5a5vMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA2MDExMTEwNThaFw0y
MDA4MzAxMTEwNThaMCMxITAfBgNVBAMTGHNwYXJ0aWNpcGFudC5kZXYucGl2dC5u
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOg1ep3zPYtoJenFdaJ0
GSVz4n8AUX4FoPd2MRlR+T82ujEMplSmJNdmomQGiwaCZ/MPTkz+NtPZ4trUmaIW
n674NHh/YQDkusYLUZ/OrOxdfrYkKZAYc2zNYHJZapMPCxryEbMLpAei6niiSxsE
jJ06gptrSA0bhqK6K5DaypzxrSeW1CzfeKdjtz7j5T2iNS/zp/pLL0woPDnn+znd
hMbG+5J49QN9ES8KoGUwZg8VE7kGSeSn45VWNb6SPtfAp/gVX0+MoMmGfG8+Aj70
EMFusMkb1dfrhpng8++n15f1zC6dXYpc2yUthhFcmVd7lWI1rpZKPi8Dqcp7R0EL
FWcCAwEAAaOCAm4wggJqMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUIvyG9zUz2qYm
Dl2cl4MQn6md4eswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI
KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0
c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0
c2VuY3J5cHQub3JnLzAjBgNVHREEHDAaghhzcGFydGljaXBhbnQuZGV2LnBpdnQu
bmwwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQC
BIH2BIHzAPEAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAXJv
ysI3AAAEAwBHMEUCIQDE9hIDVXxgV4q+8SfF0houQGl9BVEADGDKtrCRdKLbkwIg
MyBYVxtQePIEN3JBPaZwoFf/2F54MK6pQqA8wIm+3IIAdwCyHgXMi6LNiiBOh2b5
K7mKJSBna9r6cOeySVMt74uQXgAAAXJvysIKAAAEAwBIMEYCIQCsXZ6Qm4s/RIgS
qMJZ+OHoYu3VC32CwiEFcA1fye3YygIhAJxc1hi/lLIaQexU4y2dnyZcD8Raj4Us
WIjK/iqPhTNXMA0GCSqGSIb3DQEBCwUAA4IBAQBvef37hVDd5gb2v9JtkvmKokLr
1TgjlATI/Ik3vw36lt48GnFDHH4oI2bdZpYPPhpeIVGez6qwwW+dTqJkLksN93tm
HqMrYZ5y+QjnlQd2g+L5Jpt4/IJ/KVmb9ilkXQmIthNJ8Uqn1dR3ghTE2nx1wMgA
svPqwA7AG0quDrSByxegxctgRxY1kzMBtl1a24cxFJRF8nUZgD93VLdkwyD+RY8b
4r0R17B2pItXRrznRVShiiLIHNxAcXFk/40N3VEjhNmynCCwRJbeamE3p3IW10tf
FQhHXZcL1uh9e/P0ZRimB+n2GUVxnnaVJri8yic7KsQQNu283Kqn5BKFJ2Gq
-----END CERTIFICATE-----
subject=CN = sparticipant.dev.pivt.nl
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3592 bytes and written 428 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: AE047012B0EC95A71C8A50983574B93BCBBC4438B66AE7A79E4C9B4CF6804FD6
Session-ID-ctx:
Master-Key: C5BD7B3E6DB5EA3F723B4BA5A87C94923D2112E27832503C34DD11CE58949B5A692E7E2523CA9BBF38DD6098853FB682
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1591174506
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
UPDATE June 5th 2020:
Somehow the issue resolved itself, I do not understand why, nor what was wrong in the first place. Any ideas as to the cause shared are highly appreciated still
Измењено од стране Ludo
Сви одговори (4)
Please ignore seekhelp's post - it's a scam !
Problem went away, and is now back at another domain name: https://portal.stag.pivt.nl/ nginx setup is the same, and on chrome this works, but yet on Firefox it does not. Help is appreciated.
Cheers,
Ludo
the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.
AMAN ARYAN said
the issue seems to have been fixed by the site already, so you can go ahead and set security.ssl.enable_ocsp_stapling back to true again.
I did not disable ocsp on the server then. After some the issue just went away, which I'm not comfortable with. This issue got back on other environments (clusters), when I updated my ingress settings with a new tls certificate as a result. For now I switched off ocsp stapling, as my team could not get their work done, but I now need to dig further on this. It is occurring more often now and I want to prevent our production setup from suffering the same (to me 'random') issues.
Any help or insight is very welcome, as I don't know what to do here. I did see some references to https://bugzilla.mozilla.org/show_bug.cgi?id=1489411 but that was 2 years ago and the bug was closed, so I'm assuming this si fixed in the latest firefox release, right? edit: hash algorithm is already sha1, so that bug does not apply to my case
Измењено од стране Ludo