Closed Bug 1151270 Opened 9 years ago Closed 9 years ago

sec_error_ocsp_unknown_cert OCSP failures due to issues with StartCom OCSP responders

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox38 --- ?

People

(Reporter: mdc, Unassigned)

References

()

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1
Build ID: 20150321194901

Steps to reproduce:

Visit https://mortonsolicitors.com/


Actual results:

OCSP error:
The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)


Expected results:

The website should load OK.  The server seems unhacked as far as I can tell, and IE and Chrome load the site OK.
Same issue on nightly
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Untriaged → Security
In case it's relevant, https://www.ssllabs.com/ssltest/analyze.html?d=mortonsolicitors.com:
>                  www.mortonsolicitors.com
> 1 Sent by server Fingerprint: 8cbf983cacc120c3d233fdf241518a4f23d61e82
>                  RSA 2048 bits (e 65537) / SHA256withRSA
>                  OCSP ERROR: OCSP response: Certificate unknown
... which is a StartCom cert.
Component: Security → Security: PSM
Product: Firefox → Core
There's a known problem with StartCom's OCSP responder returning "Unknown" for newly-issued certs (see bug 1006479), but that shouldn't apply to a cert apparently issued four months ago. For a newly issued cert "unknown" probably means the cert issuing server hasn't updated the OCSP responder yet. For a months old cert it's an alarming response -- if you (the CA's OCSP responder) never heard of this cert is it fraudulent, stolen by a hacker? [Note, I'm not questioning your cert, I'm explaining the reasons some browsers consider "unknown" a bad response.] If the StartCom server is having temporary trouble it would be better if they returned "tryLater" responses. If they've truly lost track of having issued your cert that's alarming.
Due to a technical issue the OCSP responders failed to update - they are syncing again and this issue should resolve itself within the next few hours for your if it haven't already. Make sure to restart your Firefox before trying again (since the unknown response is cached also).
...for your site...
Indeed, it looks like the OCSP responder issues have been resolved.
Status: NEW → RESOLVED
Closed: 9 years ago
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → WORKSFORME
Summary: HTTPS OCSP failure for website → sec_error_ocsp_unknown_cert OCSP failures due to issues with StartCom OCSP responders
Version: 36 Branch → unspecified
You need to log in before you can comment on or make changes to this bug.