Let's Encrypt Firefox OCSP problem: Secure Connection Failed

[WorkinOnIt]

Hi team

I am having trouble with one specific server that seems to be failing HTTPS websites only in Firefox (version 50.1.0)

When browsing a website for example, https: // myexampledomain .com (without spaces) on Firefox, I get the following error;

Secure Connection Failed

An error occurred during a connection to myexampledomain.com. The OCSP server suggests trying again later. Error code: SEC_ERROR_OCSP_TRY_SERVER_LATER

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

I have the same issue with ALL https domains on that server in Firefox - however all of the same https domains work fine in all other browsers (Chrome / IE10 / Opera).

My other servers seem to be fine and all sites on them are connecting to https in Firefox without an issue - so there is something going on with this particular server.

Server info:

• CENTOS 7.3 x86_64

• WHM 60.0 (build 28)

• Server Version: Apache/2.4.23 (Unix) OpenSSL/1.0.1e-fips

• Let's Encrypt

There are no problems noted in the Manage Auto SSL logs.

In httpd.conf :

SSLUseStapling on
SSLStaplingCache shmcb:/usr/local/apache/logs/stapling_cache_shmcb(256000)
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data_shmcb(1024000)

I notice the above httpd.conf entry is slightly different on my other server (which is running CentOs 6.8).

Please advise, thanks.

 

[WorkinOnIt]

After some Googling, I came across a solution which I have tried it and it works for me:

• Login to your WHM with root access.
• Go to ‘Service configuration’ > Apache Configuration > Include Editor
• Go to Pre VirtualHost Include > select php version 2.4.xx > insert ‘SSLUseStapling off’ in the column > click Update
• Click ‘Restart Apache’

Source: ipserverone.info/uncategorized/how-to-resolve-apache-ssl-website-error-sec_error_ocsp_try_server_later/

However, I am concerned that turning SSLUseStapling OFF will have negative connotations. Could someone from cPanel please comment?

Thanks

 

[cPanelMichael]

Hello,

It's possible this relates to the following Apache bug:

60182 – SSLStaplingFakeTryLater Deviates From Documented Behavior of Only Being Effective When SSLStaplingReturnResponderErrors is On

If that's the case, you can add the following entry to the "Pre VirtualHost Include" section in "WHM Home » Service Configuration » Apache Configuration » Include Editor" to prevent this from happening in the future:

SSLStaplingFakeTryLater off

Thank you.