I am running succesfully website on WinServer IIS with https.This is done inside a company, for internal use. Certificate is signed by internal CA that is correctly registered.The site loads correctly on Chrome and Edge , but fails with firefox with this error:SEC_ERROR_OCSP_INVALID_SIGNING_CERT
Sometimes it works with Firefox, sometimes (most of the time it fails)I did some test with openssl and concluded that ocsp response was 'good'also i add below wireshark trace where you see:
- Me : firefox client
- Tas-Dev: the website with https
- Ocsp: the ocsp server
sometimes , not systematic i observe 2 (request+reply) to ocsp serveralways reply of ocsp server is as shown on screenshot 'good'and firefox closes connection just after the last ocsp server answer with a 'FIN ACK' without displaying content of the web page.
I am struggling alone as my IT chief claims that only Chrome is supported officially ... LOL
by curiosity i have tried to browse to the ocsp URI indicated in certificate of https server with my browser (with HTTP GET) and I have a http 500 on IIS, - maybe out of scope because ocsp is http POST, but i want to add this note as i find it strange as I would expect a more apropriate error message like 'only POST is supported' , see below:
As an additional note , during investigation i have downloaded the 'DigiCertUtil'I note 2 things strange without knowing if it is critical:
- the web certificate registered on the machine is not displayed in 'ssl' panel
- if i import inside the tool the pfx for the webserver it says 'no ssl' see below:
DigiCert Certificate Utility for Windows©
The file pfx does not have any SSL or code signing enabledcertificates contained in it.
... but maybe this tool is out of date since i think ssl is not anymore used, rather Tls.
Also i continued to investigate and in contact of admin of ocsp server.we have a load balancer between firefox and 2 ocsp instances.both ocsp servers have certificate emitted with same ca as website . I have checked that:
- 2 ocsp server
- https of websiteall of 3 have a certificated emitted by same CA with same serial number that i checked here :
the ocsp server responding are WinServer internal features checked here:
also certutil display a status 'verified'
the current workaround is to disable ocsp for firefox by setting enable to 0:
by the way Wiresharking Chrome and Edge make me laugh since both of them do not request anything to ocsp server... in fact it means that disabling this security feature of firefox make it to behave properly like chrome and edge...
#Observationthe ocsp server is in fact a load balancer, behind which there are 2 ocsp servers.The ocsp servers are configured with their own certificate correctly signed but with different C-name than the ocsp hostname used in the http POST request done in the ocsp request.
request contains host "ocsp...":
answer contains machine dcew11...:
...still from my understanding it should not be an issue.