Closed Bug 1751184 Opened 4 years ago Closed 4 years ago

Our organization is still receiving MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING even after updating Firefox to current levels. Works with all other browsers. thanks.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 96
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: randy.furlotte, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

Steps to reproduce:

Log onto page.

Actual results:

Secure Connection Failed

An error occurred during a connection to collss.acadiau.ca. The OCSP response does not include a status for the certificate being verified.

Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Expected results:

Page should open.
Any assistance would be appreciated.

I can reproduce on Nightly, loading https://collss.acadiau.ca/ produces the error described in comment 0; attempting to load the same page in Safari works fine.

URL: https://collss.acadiau.ca/
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
Component: Security → Security: PSM

That server is stapling an OCSP response for a certificate with the serial number 0x0d80c840d89744fb62f1561df9e9e972, but it is using a certificate with the serial number 0x0fb42c77dcaaae7e827c3758b5bec51e, which doesn't match. So, Firefox is actually doing the right thing here. You should get in touch with whoever runs that server and tell them it's misconfigured (the stapled OCSP response probably just needs to be re-fetched).

Flags: needinfo?(randy.furlotte)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #2)

Thanks for looking into this!

So, Firefox is actually doing the right thing here.

If all the other browsers are able to display the page, doing the right thing technically may still hurt us, as from a user perspective it's Firefox that looks broken, rather than the server configuration.

Thanks everyone. We had to create a new rule for Firefox OCSP stapling on the firewall.
Thanks for the direction.

Flags: needinfo?(randy.furlotte)

Great!

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.