Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

话题已存档。 如果需要帮助请提出新问题。

FF blocks one of my sites for faulty OCSP response but not other nearly identical site

  • 4 个回答
  • 1 人有此问题
  • 144 次查看
  • 最后回复者为 deOldphart

deOldphart
deOldphart
more options

I have two very similar websites built with Concrete5 CMS and with with Let's Encrypt SSL installed. WIthin the last week or so, one site began throwing the following error, "The OCSP response does not include a status for the certificate being verified." and not loading. The SSL certificate checks out fine (Grade A with Qualys SSL test as recommended by FF support page), and it does not happen with Safari or Chrome. It happens with FF 58 and 59 on several machines. It does not happen at all with my other web site. My hosting service says these sites are hosted on the same hardware and share the same Let's Encrypt installation. They think it is a FF issue.

I am stumped. Any help would be appreciated. Thanks.

Problem site: https://traditionalbamptonmorris.org.uk Okay similar site: http://charlburymorris.org.uk

I have two very similar websites built with Concrete5 CMS and with with Let's Encrypt SSL installed. WIthin the last week or so, one site began throwing the following error, "The OCSP response does not include a status for the certificate being verified." and not loading. The SSL certificate checks out fine (Grade A with Qualys SSL test as recommended by FF support page), and it does not happen with Safari or Chrome. It happens with FF 58 and 59 on several machines. It does not happen at all with my other web site. My hosting service says these sites are hosted on the same hardware and share the same Let's Encrypt installation. They think it is a FF issue. I am stumped. Any help would be appreciated. Thanks. Problem site: https://traditionalbamptonmorris.org.uk Okay similar site: http://charlburymorris.org.uk

被采纳的解决方案

OCSP response:

So you need to check the server of the first URL.

定位到答案原位置 👍 2

所有回复 (4)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

选择的解决方案

OCSP response:

So you need to check the server of the first URL.

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

If you haven't heard of OCSP Stapling before, it's when your server sends not only its certificate, and any intermediate certificates necessary to complete a chain of trust to a built-in certificate, but also an OCSP response showing the certificate has not been revoked. Then Firefox won't need to separately contact the certificate issuer's OCSP service.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

See also:

deOldphart
deOldphart 提问者
more options

Thanks, cor-el. I passed that on to my ISP who quickly responded that they have put a temporary fix in place while they "investigate with LiteSpeed why servers running their web server are having an intermittent issue with OCSP stapling."

That SSL test site is very useful, but obviously it helps to know what to look for. Thanks again.

由deOldphart于修改