Closed Bug 1766415 Opened 3 years ago Closed 3 years ago

Secure Connection Failed (SEC_ERROR_OCSP_TRY_SERVER_LATER) on hairpin DNAT

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 99
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: infotech, Unassigned)

Details

Attachments

(1 file)

Screenshot of "Secure Connection Failed: SEC_ERROR_OCSP_TRY_SERVER_LATER"
24.72 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Steps to reproduce:

NOTE: SSL certificate issued by Let's Encrypt and will expire 7/6/2022 and can be verified by visiting the site in question.

  1. Attempt to connect to https://cloud.osawatomieks.org from a computer on the same internal network.
  2. DNS server correctly issues IP address to browser.
  3. Mozilla Firefox version 99.0.1 (64-bit) fails in both normal and incognito mode.
  4. On a different computer (on the same network), Mozilla Firefox version 99.0.1 (64-bit) fails in both normal and incognito mode.
  5. Google Chrome version 100.0.4896.127 (Stable channel) (64-bit) loads site as normal.
  6. Vivaldi version 5.2.2623.39 (Stable channel) (64-bit) loads site as normal.
  7. Microsoft Edge version 100.0.1185.50 (Official build) (64-bit) loads site as normal.

Actual results:

Actual results are that the browser received a "Secure Connection Failed" error.

Secure Connection Failed

An error occurred during a connection to cloud.osawatomieks.org. The OCSP server suggests trying again later.

Error code: SEC_ERROR_OCSP_TRY_SERVER_LATER

Expected results:

Page should have loaded normally.

Component: Untriaged → Security: PSM
Product: Firefox → Core

The issue is probably with that server. It needs to not include unsuitable OCSP responses in the TLS handshake. Can you get in touch with the people that manage that server?

Flags: needinfo?(infotech)

I'm the one that manages it and your response made me dig deeper into the packets. Firefox attempted a connection to http://r3.o.lencr.org to verify OCSP stapling, but the domain was blocked in the firewall. Once the domain was allowed, Firefox is working as intended.

Thank you! This can be marked as closed and definitely not a bug.

Flags: needinfo?(infotech)

A bit more information in the error code would be nice to identify the problem when there is no response or in our case the connection was refused.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: