View Issue Details

IDProjectCategoryView StatusLast Update
0001497Main CAcert Websiteaccount administrationpublic2020-12-24 11:55
ReporterL10N Assigned To 
Status newResolutionopen 
PlatformMain CAcert WebsiteOSN/A 
Summary0001497: OCSP server certificate no more accepted by Mozilla
Description> Am 28.10.2020 um 13:06 schrieb Bernhard Eisele (priv):
>> Liebes Team,
>> gestern ging noch alles einwandfrei, heute meldet mein Firefox (Version
>> 82.0.1) folgendes:
>> Beim Verbinden mit trat ein Fehler auf. Die OCSP-Antwort enthält
>> veraltete Informationen.
>> Habe dem Rootzertifikat CA Cert Signing Authority das Vertrauen
>> ausgesprochen, komme aber trotzdem nicht weiter.
>> Es scheint wohl vom OCSP-Server eine falsche Antwort zu kommen (meint
>> Firefox), denn Opera funktioniert (noch?)!
>> Es grüßt
>> Bernhard

Bernhard Eisele (priv) @ 28.10.20 13:19:
> Lösung gefunden:
> Unter Einstellungen - Zertifikate musste ich den Auswahlbutton
> Aktuelle Gültigkeit von Zertifikaten durch Anfrage bei OCSP-Server bestätigen
> lassen
> deaktivieren, danach ging es wieder.
> Es grüßt alle, die vielleicht in dieselbe Falle tappen
> Bernhard
> PS: Scheint wohl beim Update geändert worden zu sein! Danke, liebe
> Mozilla-Entwickler �

TagsNo tags attached.
Reviewed by
Test Instructions



2020-11-07 10:53



2020-11-07 10:54

reporter   ~0005915

Betreff: Re: Cacert-Website mit Firefox nicht mehr erreichbar
Datum: Sat, 31 Oct 2020 16:42:11 +0100
Von: Bernd Jantzen
Antwort an: Bernd Jantzen

OK, it certainly is not practical that Firefox has changed the default settings

But why does OCSP not work for The certificate used to identify specifies for authority information via
OCSP. So why does it not work? Is there a problem with CAcert's OCSP server? Can
this not be fixed by CAcert instead of telling everybody to deactivate OCSP
checking in Firefox?

And why should it be a good idea to deactivate OCSP checking generally in my
browser? I would guess that this makes my encrypted web connections less secure
because used server certificates might be compromised and revoked without my
browser noticing it.

Best regards,


2020-11-07 13:03

administrator   ~0005916

Last edited: 2020-11-07 13:06

View 3 revisions

seem like the OCSP responder is using sha1WithRSAEncryption to sign OCSP responses and maybe Firefox does not like this anymore:

openssl ocsp -issuer chain.pem -cert -url -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661
          Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A
          Serial Number: 02E101
    Request Extensions:
        OCSP Nonce:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = AU, ST = NSW, L = Sydney, O = CAcert Inc., OU = Server Administration, CN =
    Produced At: Nov 7 12:57:47 2020 GMT
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661
      Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A
      Serial Number: 02E101
    Cert Status: good
    This Update: Oct 17 00:05:34 2020 GMT
    Next Update: Nov 9 12:57:47 2020 GMT

    Response Extensions:
        OCSP Nonce:
    Signature Algorithm: sha1WithRSAEncryption
        Version: 3 (0x2)
        Serial Number: 186781 (0x2d99d)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: O=CAcert Inc., OU=, CN=CAcert Class 3 Root
            Not Before: Aug 25 14:14:29 2019 GMT
            Not After : Aug 24 14:14:29 2021 GMT
        Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., OU=Server Administration,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, OCSP Signing, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            X509v3 CRL Distribution Points:

                Full Name:

    Signature Algorithm: sha512WithRSAEncryption


2020-11-07 14:00

reporter   ~0005917

Following from 2018, SHA-1 is "to be disabled". Maybe that happend now?


2020-11-10 20:29

administrator   ~0005918

Last edited: 2020-11-10 22:24

View 2 revisions

I checked the logfiles of the ocsp-server (and set up a new one in my test-environment):

Firefox tries to verify the certificate by using the OCSP-responder on port 80. Therefore no oscp-server-certificate is questioned.

... but ...

It's the OCSP stapling setting in apache, which breaks the Firefox-OCSP-functionality ...

As it seem, that (at least) one certificate can't be verified, I disabled OCSP stapling temporary, so access to via Firefox is working again.

... to be continued ...


2020-12-24 11:55

administrator   ~0005928

Today we detected, that a script on was not running as expected.

Therefore the CRL expired for OCSP-Daemon, hence giving the OLD_RESPONSE-error.

We now restarted the script and change our internal monitoring within the next days.

Issue History

Date Modified Username Field Change
2020-11-07 10:53 L10N New Issue
2020-11-07 10:53 L10N File Added: CAcert-Mozilla-Firefox-Unblock.png
2020-11-07 10:54 L10N Note Added: 0005915
2020-11-07 13:03 jandd Note Added: 0005916
2020-11-07 13:03 jandd Note Edited: 0005916 View Revisions
2020-11-07 13:06 jandd Note Edited: 0005916 View Revisions
2020-11-07 14:00 L10N Note Added: 0005917
2020-11-10 20:29 egal Note Added: 0005918
2020-11-10 22:24 egal Note Edited: 0005918 View Revisions
2020-12-15 13:37 gleurent Relationship added related to 0001496
2020-12-15 13:37 gleurent Relationship deleted related to 0001496
2020-12-24 11:55 egal Note Added: 0005928