Firefox SSL error - but not chrome/safari!! OCSP stapling seems the issue!!

I had noted this before, and thought it was just a cache problem but its not - just had a customer tell me they cant get to THEIR site (they log in to site.com/rainloop for email) - due to a revoked certificate.
Looking into it it seems is an OCSP stapling issue - which my error logs were reporting stapling issues and you said it did not matter - seems it does mater - to firefox but not to chrome opera or safari.

checking on site https://certificatetools.com/ocsp-checker
it says cant get OCSP URL from the certificate.

so what do we do??

 

LE has fased out OCSP several month ago. Way more than 3 month by now so there can't be any LE certificates anymore that support OCSP.
So the result of the check is correct.

A notice about a revoked certificate has nothing to do with OCSP in case of LE anymore and is a whole other problem. On your side.
Though there should be no difference between browsers, unless their certificate revocation lists are not up-to-date or out-of-date.

Apparently your webserver is still using a certificate for that site after it has been revoked.
How or why? That's for you to figure out in your logs.
Easiest and fastest way to solve it is issueing a new certificate for the site and restarting the webservice afterwards.

 

I don't think cert has been revoked. From firefox:

Understanding the SSL Error with Revoked Certificates in Firefox
What is the Error?

When using Firefox, you may encounter an error indicating that a certificate has been revoked. This is often accompanied by messages like "SEC_ERROR_REVOKED_CERTIFICATE" or "MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING." These errors occur when the browser cannot verify the validity of an SSL certificate.
Causes of the Error

Revoked Certificate: The SSL certificate has been revoked by the Certificate Authority (CA).

OCSP Stapling Issues:
OCSP stapling allows a server to provide a cached response about a certificate's validity during the TLS handshake. If the server does not send a valid OCSP response, Firefox may display an error.
If the OCSP server is down or misconfigured, the browser cannot verify the certificate status.

I dont think cert has been revoked (and there are now 3 different sites showing the error..
Maybe the problem is ocsp?

How can one determine with certainty that a certificate has NOT been revoked??

 

Do as @till said, disable ocsp cache and see if it changes anything.
It should make no difference.

If it does make any difference than the ocsp cache in your webserver is corrupted and therefor not trustworthy in general for any certificate.
The cache shouldn't contain any LE certificates for month.

 

the coded snipped you gave me either in the apache directives or directly in the vhost produces error:
Syntax error SSLStaplingCache cannot occur in VirtualHost

unchecking SSL cert and save and recheck SSL cert and save made no difference.

anything else to try?

 

ack blame it on the old eyes! yes I have now removed it restarted httpd. no difference.

 

The only thing I can think of is that somewhere in Apache's general config and/or vhost config you must have deviated from the defaults and customized something. Most likely something that has to do with ocsp caching.
Since you're the only one here having this problem.

Comment out everything that is ocsp related (caching and stapling) in general config files and vhost files of sites that show this problem.
Restart Apache afterwards.
If the problem still persists than issue new certificates and restart Apache.
If even that doesn't help than through out the server I guess.

Just one last (in my eyes rhetorical) question. Is your Firefox browser up-to-date?

 

never deviated from the defaults as far as I know.
I ran certbot-auto renew and got messages like this:

Code:

http-01 challenge for araritywhataripoff.com
http-01 challenge for www.araritywhataripoff.com
Cleaning up challenges
Attempting to renew cert (araritywhataripoff.com) from /etc/letsencrypt/renewal/araritywhataripoff.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
Cannot extract OCSP URI from /etc/letsencrypt/archive/ascenthomesva.com/cert23.pem
Cert not yet due for renewal
Cannot extract OCSP URI from /etc/letsencrypt/archive/askcappelletti.com/cert47.pem
Cert not yet due for renewal
Cannot extract OCSP URI from /etc/letsencrypt/archive/atasservices.com/cert1.pem
Cert not yet due for renewal
Cannot extract OCSP URI from /etc/letsencrypt/archive/cdbsystems.com/cert47.pem
Cert not yet due for renewal
Cannot extract OCSP URI from /etc/letsencrypt/archive/constructionbydesigninc.com/cert1.pem
Cert not yet due for renewal
Cannot extract OCSP URI from /etc/letsencrypt/archive/contractorsadvisor.net/cert25.pem
Cert not yet due for renewal
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for craigscollectibles.com
http-01 challenge for www.craigscollectibles.com
Waiting for verification...
Challenge failed for domain www.craigscollectibles.com

 

no that domain is currently dormant. some of the errors are expected.

 

till - still working on seeing what is causing the firefox SEC REVOKED error - but its now manifesting on quite a few sites!!!
chrome/opera/safari all love my ssl certs. firefox is dying???
its not just one vhost!
and on ns12 - where I just did the minimal install, the auto-install, and migration from the old server (ns10) I've noted an issue when I have a powerfail - it does NOT come up cleanly. I have to ssh in and systemctl shows a bunch of services as failed. a sync;reboot brings everything back up but should I need to do that? why are the services not starting after a powerfail and reboot?

 

I am using firefox most of the times and it works just fine. May be, uninstall, clean and reinstall it fresh?

Server is normally restarted in safe mode after power failure, but I thought this was mentioned in other threads with a way to overcome it, so search it out because I am on mobile, so searching is not really friendly in this mode.

 

ahrasis problem is its on at least 3 different computers at this point. and all worked untill recently!!!

 

I'm seeing the same revoke message in Firefox for askcappelletti.com and not in Chrome.
Don't ask me why.

Also hardenize.com is saying your certificate has been revoked on 23 Nov 2025 05:07:47 UTC!!
https://www.hardenize.com/report/askcappelletti.com/1765568987#www_certs

But there is more...
There is something very fishy about your certificate. It doesn't contain the full chain, only the certificate itself.
That's not normal behaviour in ispconfig! Default behaviour is that a website's certificate contains the full chain.
Also when using certbot.
I've just double checked it on one of my older webservers that is still using certbot.

So if you had listened a week ago and renewed your certificates or had issued new certificates like I said all probably would have worked just fine again already.
Though you do have to look into why your certificates don't contain the full chain.
For certificates not yet due for renewal do a forced renewal.

The "Cannot extract OCSP URI from ..." CAN be ignored. That has NOTHING to do with your problem.

Your domain craigscollectibles.com doesn't have https enabled.
No question about it that it is because of the failed challange.

 

Just thought of a probable cause of it all maybe ...

You said in another thread you did a migration from ns10 to ns11.
I'm not familiar with the migration tool, but I asume it copies everything including (current) certificates.
And afterwards every website will be double in ispconfig. The original on ns10 and the copy on ns11.
Or is this a wrong assumption @till ?

When a website with LE certificate is removed in ispconfig (and maybe when https is disabled?) than ispconfig revokes the certificate by default. Though it can be turned of in the server settings.
Did you remove your websites from ns10 using ispconfig after the migration?
Or, question for @till , could that have been triggered by the migration script?

If the migration script triggered it than that is a bug!
Nontheless, the migration script should check if revoking is enabled on the old server and disable it!
To prevent revoking regardless of a possible migration script trigger or the user deleting websites on the old server.

 

supposedly I had it renew the certs - i'll try again with a force on one of the sites see if that fixes it!
alas no:

Code:

 ./certbot-auto renew --cert-name ussvinova.org --force-renewal
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ussvinova.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ussvinova.org
http-01 challenge for www.ussvinova.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ussvinova.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ussvinova.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@ns10 certbot]#

but firefox still complains!!!
ENLIGHTENMENT -- dam I'm just too tired. forgot to systemctl restart httpd.
the force-renew fixed it! now will do for ALL sites.

question still - why the heck did it ever break in the first place??

I ran the askcappelletti.com site on hardenize and it gave this information:

Code:

askcappelletti.com
Issuer: Let's Encrypt
Not Before: 12 Dec 2025 20:46:27 UTC
Not After: 12 Mar 2026 20:46:26 UTC (expires in 2 months 27 days)
Key: RSA 4096 bits
Signature: SHA256withRSA
Analysis
Strong private key
Good. The private key associated with this certificate is secure.
Strong signature algorithm
Good. This certificate uses a strong signature algorithm.
Certificate matches hostname
Good. The provided certificate matches the expected hostnames.
Certificate dates match
Good. The certificate is valid for use at this point of time.
Certificate has not been revoked
Good. This certificate has not been revoked.
Certificate satisfies Apple's CT compliance requirements
Good. This certificate satisfies Apple's CT requirements at present.
Certificate chain is incorrect
This certificate is delivered as part of an incorrect certificate chain. The problems in the chain render the certificate invalid too. Although some clients (typically browsers) are able to fix or rebuild certificate chains, it's generally not safe to assume that all browsers can.

so we renewed it (dec 12 above) but it says certificate chain is incorrect???

now firefox does NOT complain anymore. but will others??