For a couple of weeks, we had wrestled with a sec_error_ocsp_unauthorized_request error on our site in Firefox.
The error only appeared intermittently and for a short time. That made it difficult to replicate and to debug.
To top it all off, we couldn’t find any documentation from anyone experiencing the same issue. So, now that we’ve finally resolved the issue, we figured we should write up the solution, in the hope that it might save someone else hours of debugging.
What on earth is OSCP?
OCSP stands for Online Certificate Status Protocol. It’s basically a protocol that’s used to make sure that an SSL certificate is still valid and hasn’t been revoked.
If an SSL certificate uses OCSP, the visitor’s browser can validate the certificate’s status. The browser does this by checking with the entity that issued your SSL (the Certificate authority) via an OCSP responder (another server that also has that information).
That validation process can take anywhere from .3 seconds to 1 second. While it’s happening, the site isn’t loading for the user. This presents a dilemma. This is a nice security feature, but it makes the site load slowly, since the user has to wait.
That’s where OCSP stapling comes in. It allows the server that’s hosting the site to periodically check the certificate status via the OCSP and stamp that response into the initial TLS handshake. It’s sort of like caching and can make your site load considerably more quickly.
What was the error message?
Secure Connection Failed An error occurred during a connection to www.ostraining.com. The OCSP server has refused this request as unauthorized. (Error code: sec_error_ocsp_unauthorized_request) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
What browsers were impacted?
It was only occurring in Firefox for us. Firefox appears to be the only browser that does an additional security check for OCSP and also does a hard fail. This is a security feature of Firefox. There’s an option to turn off this feature, but that’s working around the problem and it wouldn’t resolve the issue for our users. Plus, turning off that option made no difference for one of our staff when testing.
The cause of the problem
After much debugging, with the help of our hosting support (thanks Jeremy from Rochen!), we narrowed down the issue. The OCSP server was reachable and there were no connection issues. Instead, we figured out that every time Apache restarted gracefully, the error would occur.
Although an OCSP stapling cache was defined in the Apache configuration, the cache was not being created after the restart. This was causing the issue.
We opened a ticket with cPanel and they were able to replicate the issue. After some investigation, they recommended raising the SSLStaplingResponderTimeout value in the Apache configuration. And that fixed it!
Hopefully this saves you some troubleshooting. Good luck!