“MOZILLA PKIX ERROR OCSP RESPONSE FOR CERT MISSING” Error Code on Microsoft Websites in Firefox
All of a sudden, I started receiving following error message on lots of webpages of Microsoft website in Mozilla Firefox web browser:
Secure Connection Failed
An error occurred during a connection to docs.microsoft.com. The OCSP response does not include a status for the certificate being verified.
Advertisement
Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING
- The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
- Please contact the website owners to inform them of this problem.
Learn more…
[Try Again]
Following screenshot shows the error message displaying on developer.microsoft.com website in Firefox:
Table of Contents
Mozilla Firefox Failed to Open Microsoft Websites with Error Code
Whenever I tried to open following sub-domains of Microsoft website, Mozilla Firefox failed to load the website and displayed above mentioned error message:
- docs.microsoft.com
- developer.microsoft.com
- visualstudio.microsoft.com
- channel9.msdn.com
There might be more websites causing this issue in Firefox web browser but I checked with the above mentioned websites only.
Advertisement
Clicking on “Try Again” button didn’t work and Firefox kept showing same error page every time I clicked on the button.
The strange part of the problem was, the same websites were opening fine in other web browsers such as Google Chrome, Microsoft Edge and Opera. The problem was occurring only in Mozilla Firefox browser and with Microsoft websites only.
Solutions I Tried to Fix the Problem but didn’t Work
I tried following workarounds to fix the issue:
- Closed and restarted Firefox.
- Cleared cache and cookies in Firefox (How-to Guide).
- Disabled antivirus/firewall/security suite.
- Uninstalled and reinstalled Firefox.
- Restarted Windows.
- Checked in other computers.
Nothing worked and every time I tried to open Microsoft websites in Firefox, it was unable to open the website and showed above mentioned error code.
OCSP Stapling Feature Causing the Issue in Firefox
Since Firefox mentioned OCSP inside the error message, I tried to disable OCSP stapling functionality in Firefox and it immediately resolved the issue.
Microsoft websites started opening in Firefox and the browser no longer displayed any error message.
So the problem is related to OCSP stapling feature and we can fix the issue by turning off OCSP stapling in Firefox.
What is OCSP Stapling in Mozilla Firefox?
Now you might be wondering what is this new OCSP stapling feature and why was it causing this irritating issue in Firefox?
Following information has been given on official Mozilla Security Blog about OCSP stapling feature:
OCSP stands for Online Certificate Status Protocol which is a method for obtaining certificate revocation information. When presented with a certificate, the web browser asks the issuing CA if there are any problems with it. If the certificate is fine, the CA can respond with a signed assertion that the certificate is still valid. If it has been revoked, however, the CA can say so by the same mechanism.
OCSP has a few drawbacks. First, it slows down new HTTPS connections. Second, it leaks to the CA what HTTPS sites the user visits, which is concerning from a privacy perspective.
OCSP stapling is a mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner. OCSP stapling solves above mentioned problems by having the site itself periodically ask the CA for a signed assertion of status and sending that statement in the handshake at the beginning of new HTTPS connections. The browser takes that signed, stapled response, verifies it, and uses it to determine if the site’s certificate is still trustworthy. If not, it knows that something is wrong and it must terminate the connection. Otherwise, the certificate is fine and the user can connect to the site.
How to Fix the Error Message Issue on Microsoft Websites in Firefox?
If you also face this weird issue with Microsoft websites in Mozilla Firefox web browser, following method will help you in getting rid of the annoying error message and Microsoft websites will start opening in Firefox:
1. Open Firefox and type about:config in the address bar and press Enter. It’ll show you a warning message, click on “Accept the Risk and Continue” button. It’ll open Firefox’s hidden secret advanced configuration page i.e. about:config page.
2. Now type enable_ocsp in Search filter box and look for following preferences in the window:
security.ssl.enable_ocsp_must_staple
security.ssl.enable_ocsp_stapling
3. To disable OCSP stapling feature, double-click on the above mentioned preferences and change their values to false. Alternatively, you can click on the Toggle icon given next to the preference name.
That’s it. It’ll immediately deactivate and disable OCSP stapling in Mozilla Firefox. Now try to open Microsoft websites and everything will work fine now without any error message.
PS: In future, if you decide to restore default behavior and enable OCSP stapling feature, set above mentioned preferences/flags to true again.
We should hope that Mozilla or Microsoft will fix this certificate issue and we’ll not need to disable OCSP stapling feature in Firefox.
Also Check:
[Fix] “Secure Connection Failed” Problem in Mozilla Firefox Web Browser
[Fix] “This Connection is Untrusted” Problem with Google and Other HTTPS Websites in Mozilla Firefox
[Fix] HTTPS Errors and Warning Messages on Secure Websites in Mozilla Firefox
[Fix] SSL Error, Connection Not Secure or Invalid Security Certificate Problem With HTTPS Websites
Great analysis of the issue, it bothered me to switch to Chrome each time I needed access to MS documentation’s site.
Do you happen to known what is actually causing the issue (Firefox not issuing the OCSP-stapled request properly, MS failing to provide a valid response when requested with OCSP-stapling, Firefox not parsing the response correctly…)? Is there any issue that I can follow on either part to be notified when it is resolved?
this is really misleading, explained as if Firefox is the “problem”.
pretty sure the problem is that Microsoft’s subdomains aren’t doing their OCSP due-diligence at the moment, and Firefox just happens to be the only modern browser that goes the extra mile to care about it. as with most security/privacy/auth features, turning them off can of course remove the barrier causing issues, but it’s not even remotely a “fix”.
the only fix here is for Microsoft to fix their OCSP handling for their subdomains.
Thanks VG, spot on! Ran into the same issue this morning when trying to access visualstudio.microsoft.com.
Seems that Mozilla doesn’t support SHA-2 to mozilla::pkix’s OCSP implementation
Needs Mozilla fix this issue …
bugzilla.mozilla.org/show_bug.cgi?id=966856#a248022833_349244
It is not limited to Microsoft sites, I had the same issue with the Lenovo Partner Hub today, thanks for the fix!
From what I’ve managed to find, this is, in fact, a problem with Firefox and not Microsoft’s servers. The “problem” is that MS is using SHA-256 hashes in their OCSP Stapling whereas Firefox currently only supports less secure SHA-1 hashes for this.
Ironically, it also seems that this deficiency was reported 8 years ago but was assigned a low priority until now:
bugzilla.mozilla.org/show_bug.cgi?id=966856#c8
This article creates confusion for standard users as well as super users.
You start by talking about OSCP Stapling however give a description on what OSCP is which makes it seem like your describing what OSCP stapling is.
They are two different things. I quick Wiki search would tell you that. (en.wikipedia.org/wiki/OCSP_stapling):
I would strongly suggest you either re-iterate your wording to point out the two or just reference the wiki article:
“The original OCSP implementation has a number of issues.
Firstly, it can introduce a significant cost for the certificate authorities (CA) because it requires them to provide responses to every client of a given certificate in real time. For example, when a certificate is issued to a high traffic website, the servers of CAs are likely to be hit by enormous volumes of OCSP requests querying the validity of the certificate.
Also, OCSP checking potentially impairs users’ privacy and slows down browsing, since it requires the client to contact a third party (the CA) to confirm the validity of each certificate that it encounters.
Moreover, if the client fails to connect to the CA for an OCSP response, then it is forced to decide between: (a) continuing the connection anyway; defeating the purpose of OCSP or (b) terminating the connection based on the assumption that there is an attack; but which could result in excessive false warnings and blocks.
OCSP stapling is aimed at addressing these issues with the original OCSP implementation.”
Another thing. You do not require to completely disable OSCP stapling it is a safer and faster alternative to the original OSCP.
To do this, in the about:config, only modify the field “security.ssl.enable_ocsp_must_staple” from TRUE to FALSE
This will help with all Microsoft based services with Firefox until such time as Microsoft fixes the issue on their end. (who knows when that will happen…)
Thank you for this!
While no error shows us, this also resolved the issue of not being able to get to the MS 365 admin console at: admin.microsoft.com
The symptom was just simply a BLANK screen when attempting to login using FireFox 95.0
Hopefully there will be a FireFox 95.0.1 which officially fixes this issue.
The 95.0.1 update for FireFox released earlier today now fixes this issue.