“The OCSP server experienced an internal error” with OCSP server NXDOMAIN

For support with specific websites

Moderator: trava90

Forum rules
Please always mention the name/domain of the website in question in your topic title.
Please one website per topic thread (to help keep things organized). While behavior on different sites might at first glance seem similar, they are not necessarily caused by the same.

Please try to include any relevant output from the Toolkit Error Console or the Developer Tools Web Console using the following procedure:
  1. Clear any current output
  2. Navigate or refresh the page in question
  3. Copy and paste Errors or seemingly relevant Warnings into a single [ code ] block.
User avatar
pale guru
Moonbather
Moonbather
Posts: 61
Joined: 2021-11-06, 11:10
Location: Tyskland

“The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by pale guru » 2023-03-27, 20:47

If “When an OCSP server connection fails, treat the certificate as invalid” is activated, and Pale Moon cannot resolve the IP of the OCSP server (DNS returns NXDOMAIN), it returns the general error

“The OCSP server experienced an internal error. (Error code: SEC_ERROR_OCSP_SERVER_ERROR).”

Only when I looked into Wireshark, I saw the DNS server returned a NXDOMAIN (domain name not found) error (which was a temporary issue on my Internet Provider's side).

I suggest to use a more specific error message, as it is not the OCSP server who has hiccup, but rather the DNS.
… tanning in dimmed LCD light. – Evry 1′s a beginner, baby, that's the truth…

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: “The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by Moonchild » 2023-03-27, 21:32

This would be something handled by NSS which is third party code for us. You may want to report this on bugzilla.mozilla.org. Reporting is rather limited because it's just handed off as "perform an OCSP lookup", and that can either succeed or fail from the browser's perspective. I don't think that kind of granularity is possible at the moment.

Ultimately, if you select that option, then any OCSP lookup failure is a trust failure so no matter the reason for the failure it will be "an OCSP lookup error" so we're doing the right thing at least even if it's a DNS failure.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
pale guru
Moonbather
Moonbather
Posts: 61
Joined: 2021-11-06, 11:10
Location: Tyskland

Re: “The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by pale guru » 2023-03-27, 22:00

I see.

Is it okay with you to add a message to the error description that the cause could be a DNS failure? (Right now, the description is “The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.” and “Please contact the website owners to inform them of this problem.”)
… tanning in dimmed LCD light. – Evry 1′s a beginner, baby, that's the truth…

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: “The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by Moonchild » 2023-03-27, 22:11

It's already clear enough: there was an error getting a response from the OCSP server, and that is what is given. You should understand that this is the consequence of enabling that preference. It's off by default for a reason.

See also the help text (emphasis for your particular situation):
When an OCSP server connection fails, treat the certificate as invalid: If a certificate provides an OCSP server, and the browser is for any reason not able to contact the OCSP server (e.g. due to routing, server load, or other connectivity issues with the OCSP server), Pale Moon will refuse the connection to the website you're trying to visit. There are many reasons why you won't be able to contact an OCSP server at any given time, so only enable this if you are at specific risk of enountering wrongly-issued and revoked certificates.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
pale guru
Moonbather
Moonbather
Posts: 61
Joined: 2021-11-06, 11:10
Location: Tyskland

Re: “The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by pale guru » 2023-03-31, 02:38

From a perspective of a programmer it might be clear enough.

See it from a view of a daily user: if there is a "SEC_ERROR_OCSP_SERVER_ERROR" and the cause is in fact the DNS that cannot resolve the domain before it can even try to reach the OCSP server, a hint beside “Please contact the website owners to inform them of this problem.“ might be useful for them.

Not everyone reads the manual daily of the car they drive.
… tanning in dimmed LCD light. – Evry 1′s a beginner, baby, that's the truth…

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: “The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by moonbat » 2023-03-31, 03:12

pale guru wrote:
2023-03-31, 02:38
a hint beside “Please contact the website owners to inform them of this problem.“ might be useful for them.
Such as what? "Go to the source of the problem because after a detailed explanation it should be crystal clear that it bloody well isn't us"?
pale guru wrote:
2023-03-31, 02:38
Not everyone reads the manual daily of the car they drive.
That is nobody else's fault.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: “The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by Moonchild » 2023-03-31, 08:57

pale guru wrote:
2023-03-27, 20:47
If “When an OCSP server connection fails, treat the certificate as invalid” is activated
Who did that? That's right, the user.
pale guru wrote:
2023-03-31, 02:38
a hint beside “Please contact the website owners to inform them of this problem.“ might be useful for them.
Well the hint is right next to the raw error code. "The OCSP server experienced an internal error."
This is 100% clear that there is a problem on the server-side with the OCSP lookup. A DNS lookup failure generally falls into that category, also. As I already quoted from the help page: "There are many reasons why you won't be able to contact an OCSP server at any given time" and what the browser can do at best is provide a decent enough hint. It's neither the task of the browser to troubleshoot the server, nor is it easily capable of doing so. It's a web browser, not a diagnostic tool. There's only so much granularity you can expect, here.

Ultimately all of this is PEBCAK; both it occurring in the first place by enabling an advanced setting without knowing the implications, and by not understanding what should be clear (whether it's from not reading, selectively reading, or otherwise).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
pale guru
Moonbather
Moonbather
Posts: 61
Joined: 2021-11-06, 11:10
Location: Tyskland

Re: “The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by pale guru » 2023-04-01, 06:17

DNS resolving issues are one probable cause of this INTERNAL_OCSP_ERROR, but are neither the fault of Pale Moon, NSS, or the OCSP server (owner). The latter isn't yet involved.

Giving them a hint to this fact might save them from coming here and complain, while the same site gives you no errors.
… tanning in dimmed LCD light. – Evry 1′s a beginner, baby, that's the truth…

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: “The OCSP server experienced an internal error” with OCSP server NXDOMAIN

Unread post by Moonchild » 2023-04-01, 11:40

Read my previous post.
I won't be doing anything to satisfy this corner case feature creep.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked