Closed
Bug 1270504
Opened 9 years ago
Closed 8 years ago
arewestableyet.com intermittently fail loading because of SEC_ERROR_OCSP_TRY_SERVER_LATER
Categories
(Web Compatibility :: Site Reports, defect)
Tracking
(firefox49 affected)
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | affected |
People
(Reporter: marco, Unassigned)
References
()
Details
Attachments
(1 file)
|
6.82 KB,
application/octet-stream
|
Details |
I've been seeing this error very often lately, with a lot of websites (seemingly unrelated to each other).
After reloading the page, the error is gone.
|
||
Comment 1•9 years ago
|
||
It would be helpful to know what sites this is happening on, and maybe some packet captures from wireshark if possible.
Flags: needinfo?(mcastelluccio)
|
Reporter | |
Comment 2•9 years ago
|
||
It's happening very intermittently and for seemingly random websites.
For example, https://arewestableyet.com/.
|
|
Reporter | |
Comment 3•9 years ago
|
||
Maybe kairo knows something, as it's often happening with his websites (e.g. kairo.at and arewestableyet.com).
|
|
||
Comment 4•9 years ago
|
||
Hmmm - I just saw this. I'll try back periodically and see if I can get a packet capture. It's looking like this may just be a flaky OCSP server.
|
|
Reporter | |
Comment 5•9 years ago
|
||
Another website where I can randomly reproduce is cbsm.at.
Flags: needinfo?(mcastelluccio)
|
|
||
Comment 6•9 years ago
|
||
Looks like it's a combination of a flaky OCSP server and a poor OCSP stapling server implementation. The server is sending a stapled OCSP response it presumably got from the OCSP server that has the status "tryLater". It's a bad idea for the server to actually use that response since the spec requires clients to close the connection in those cases (although Firefox is a bit more lenient for expired stapled responses, so we could potentially expand that set).
kairo - what server are you running? It needs to be fixed and/or updated.
Flags: needinfo?(kairo)
|
|
||
Comment 7•9 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> kairo - what server are you running? It needs to be fixed and/or updated.
The problem is on the side of StartSSL, which has a flaky OCSP server. After the first wave of renewals of my testing domains for Let's Encrypt, if everything works well, I'll switch most of my domains to LE, and that issue is one of the reasons for that.
That said, I'm using Apache on that server.
Flags: needinfo?(kairo)
|
|
||
Comment 8•9 years ago
|
||
Looks like this is a known issue with Apache: https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
|
|
||
Updated•9 years ago
|
Component: Security → Desktop
Product: Core → Tech Evangelism
Version: 49 Branch → unspecified
|
|
||
Comment 9•8 years ago
|
||
Just for the record an issue in Tech Evangelism which targets a really large sample of domains is not really actionable. It becomes more of a meta, which already exist for this type of issues. See Bug 844556
So I'm reframing this issue to be specifically about arewestableyet.com
https://www.ssllabs.com/ssltest/analyze.html?d=arewestableyet.com&latest
Kairo seems to have fixed the issue by switching to Let's Encrypt.
Closing as FIXED
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Summary: Some websites intermittently fail loading because of SEC_ERROR_OCSP_TRY_SERVER_LATER → arewestableyet.com intermittently fail loading because of SEC_ERROR_OCSP_TRY_SERVER_LATER
|
Assignee | |
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•