Closed
Bug 1151270
Opened 10 years ago
Closed 10 years ago
sec_error_ocsp_unknown_cert OCSP failures due to issues with StartCom OCSP responders
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox38 | --- | ? |
People
(Reporter: mdc, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 Build ID: 20150321194901 Steps to reproduce: Visit https://mortonsolicitors.com/ Actual results: OCSP error: The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert) Expected results: The website should load OK. The server seems unhacked as far as I can tell, and IE and Chrome load the site OK.
Updated•10 years ago
|
status-firefox38:
--- → ?
Component: Untriaged → Security
Comment 2•10 years ago
|
||
In case it's relevant, https://www.ssllabs.com/ssltest/analyze.html?d=mortonsolicitors.com: > www.mortonsolicitors.com > 1 Sent by server Fingerprint: 8cbf983cacc120c3d233fdf241518a4f23d61e82 > RSA 2048 bits (e 65537) / SHA256withRSA > OCSP ERROR: OCSP response: Certificate unknown ... which is a StartCom cert.
Comment 3•10 years ago
|
||
There's a known problem with StartCom's OCSP responder returning "Unknown" for newly-issued certs (see bug 1006479), but that shouldn't apply to a cert apparently issued four months ago. For a newly issued cert "unknown" probably means the cert issuing server hasn't updated the OCSP responder yet. For a months old cert it's an alarming response -- if you (the CA's OCSP responder) never heard of this cert is it fraudulent, stolen by a hacker? [Note, I'm not questioning your cert, I'm explaining the reasons some browsers consider "unknown" a bad response.] If the StartCom server is having temporary trouble it would be better if they returned "tryLater" responses. If they've truly lost track of having issued your cert that's alarming.
Comment 4•10 years ago
|
||
Due to a technical issue the OCSP responders failed to update - they are syncing again and this issue should resolve itself within the next few hours for your if it haven't already. Make sure to restart your Firefox before trying again (since the unknown response is cached also).
Comment 6•10 years ago
|
||
Indeed, it looks like the OCSP responder issues have been resolved.
Status: NEW → RESOLVED
Closed: 10 years ago
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → WORKSFORME
Summary: HTTPS OCSP failure for website → sec_error_ocsp_unknown_cert OCSP failures due to issues with StartCom OCSP responders
Version: 36 Branch → unspecified
You need to log in
before you can comment on or make changes to this bug.
Description
•