Caddy: SEC_ERROR_OCSP_INVALID_SIGNING_CERT only in Firefox

Created on 14 Aug 2017  路  12Comments  路  Source: caddyserver/caddy

1. What version of Caddy are you using?

0.10.6 but happened with 0.10.5 too

2. What are you trying to do?

Trying to serve some pages via HTTPS with commercial certificates.

When I start caddy with the configuration below everything works fine. All my pages are working flawlessly in any of the popular browsers. After some days without restarting caddy, I get an error only in Firefox "SEC_ERROR_OCSP_INVALID_SIGNING_CERT". Restarting caddy solves the problem. Chrome, Safari, Edge and Internet Explorer don't show this error.

We are experiencing this error since 5 months. We restarted Caddy everytime but this is not a reliable solution. Switching back to Nginx seems to be the only solution for now.

One explanation for that strange behavior could be Let's encrypt. We don't use any certificate from Let's encrypt. But may be Caddy checks for outdated certificates periodically and then messes up the certificate chains? It's only an idea. Is there a possibility to completely switch off Let's encrypt to verify this?

3. What is your entire Caddyfile?

root@web-cloudradar-io:/etc/caddy/conf.d#
##### bitbucket-deploy.conf ######
https://cloudradar.info:8443/deploy {
    tls /etc/ssl/certs/cloudradar.info/cloudradar.info.chained.crt /etc/ssl/certs/cloudradar.info/cloudradar.info.key
    root /var/www/deploy/
    fastcgi / /run/php/php7.0-fpm.sock php
    log /var/log/caddy/deploy-access.log
    errors /var/log/caddy/deploy-error.log
    basicauth / xxxxx xxxx
}

##### blog.cloudradar.io.conf ######
https://blog.cloudradar.io {
    proxy / http://localhost:2368 {
        header_upstream Host {host}
        header_upstream X-Real-IP {remote}
        header_upstream X-Forwarded-For {remote}
        header_upstream X-Forwarded-Proto {scheme}
    }
    tls /etc/ssl/certs/cloudradar.io/_wildcard.cloudradar.io.chained.crt /etc/ssl/certs/cloudradar.io/privkey.pem
}

http://blog.cloudradar.io {
    redir / https://blog.cloudradar.io
}
##### default.conf ######
http://0.0.0.0:80 {
    root /var/www/caddy
    log /var/log/caddy/access.log
    errors /var/log/caddy/error.log
}
##### downloads.cloudradar.io.conf ######
https://downloads.cloudradar.io {
    root /var/www/downloads.cloudradar.io/
    tls /etc/ssl/certs/cloudradar.io/_wildcard.cloudradar.io.chained.crt /etc/ssl/certs/cloudradar.io/privkey.pem
    basicauth /admin admin xxxxx
    browse /
    filemanager /admin {
        show           ./downloads.cloudradar.io
        allow_commands true
        allow_command  rm
        allow_command  mv
        allow          dotfiles
    }
}
##### y-cloudradar.info.conf ######
# This file is maintened by salstack and was build dynamically using jinja
# Do not edit. All changes will be overwritten
https://cloudradar.info:443 {
   root /var/www/cloudradar.info/pub/
   fastcgi / /run/php/php7.0-fpm.sock php
   log /var/log/caddy/cloudradar.info-access.log
   errors /var/log/caddy/cloudradar.info-error.log
   tls /etc/ssl/certs/cloudradar.info/cloudradar.info.chained.crt /etc/ssl/certs/cloudradar.info/cloudradar.info.key
   rewrite / {
     ext !.png !.css !.js !.otf !.ttf !.woff !.woff2 !.svg !.ico !.gif !.jpg
     to /router.php
    }
}
##### z-cloudradar.io.conf ######
https://cloudradar.io {
    root /var/www/cloudradar.io/pub/
    fastcgi / /run/php/php7.0-fpm.sock php
    log /var/log/caddy/access.log
    errors /var/log/caddy/error.log
    #tls /etc/ssl/certs/cloudradar.io/thawte/cloudradar.io.chained.crt /etc/ssl/certs/cloudradar.io/thawte/server.key
    tls /etc/ssl/certs/cloudradar.io/cloudradar.io.chained.crt /etc/ssl/certs/cloudradar.io/privkey.pem
    rewrite / {
      ext !.png !.css !.js !.otf !.ttf !.woff !.woff2 !.svg !.ico !.gif !.jpg
      to /router.php
    }
}

http://www.cloudradar.io {
    redir / https://cloudradar.io{uri}
}

http://cloudradar.io {
    redir / https://cloudradar.io{uri}
}

4. How did you run Caddy

chown -R www-data:www-data /var/run/caddy/
  su - www-data -s /bin/sh -c \
  "ulimit -n 8192; /usr/bin/nohup /usr/local/bin/caddy \
  -log /tmp/caddy-start.log \
  -email [email protected] \
  -agree=true \
  -conf=/etc/caddy/Caddyfile \
  -root=/var/tmp \
  -pidfile=/var/run/caddy/caddy.pid >> /tmp/caddy-start.log 2>&1 &" >>/tmp/caddy-start.log

5. Please paste any relevant HTTP request(s) here.

Firefox: https://cloudradar.io/

6. What did you expect to see?

The page without SSL errors

7. What did you see instead (give full error messages and/or log)?

SEC_ERROR_OCSP_INVALID_SIGNING_CERT

8. How can someone who is starting from scratch reproduce the bug as minimally as possible?

Sorry, but I don't know how to reproduce this error.

bug
Source
picture thorstenkramm

All 12 comments

Hello,

it looks like Matt is working on this :) (see #1821)

I will close this issue

elcore picture elcore on 14 Aug 2017

@elcore Thanks for hopping on this so quick - but, @thorstenkramm - would you please try the fix in #1821? I posted it a few days ago on the forum where this issue was originally reported and I'd really like you to give it a try before you go through the hassle of changing web servers.

mholt picture mholt on 14 Aug 2017

Thank you for the very quick reaction. That's great.
I'm glad to help with testing, but my apologies for the stupid question: How to compile from the branch?
I downloaded the branch by 

wget "https://github.com/mholt/caddy/archive/ocspfix.zip"
unzip ocspfix.zip

Go is installed and it says go version go version go1.8.3 linux/amd64,
I tried 

cd /usr/src/caddy-ocspfix
go build caddy.go

but no luck

# command-line-arguments
./caddy.go:78: undefined: Context
./caddy.go:81: undefined: ServerListener

Sorry for my stupid question. How to compile the sources? And do I tell the compiler, which caddy plugins should be included?

thorstenkramm picture thorstenkramm on 14 Aug 2017

So, you need Go installed, and you need the Caddy sources in your GOPATH. By default, the GOPATH is ~/go. So either move your extracted zip contents to $GOPATH/src/github.com/mholt/caddy or run go get github.com/mholt/caddy/caddy and then cd to $GOPATH/src/github.com/mholt/caddy and checkout the ocspfix branch. Then in the caddy subfolder just run ./build.bash which puts the binary in that folder. Hope that helps!

If you need plugins, you just add a line to run.go: https://github.com/mholt/caddy/wiki/Extending-Caddy#2-plug-in-your-plugin

mholt picture mholt on 14 Aug 2017
👍1

Ok. I got it. It's up and running.
https://cloudradar.io/ is now powered by Caddy 0.10.6 (+b699a17 Mon Aug 14 15:46:16 UTC 2017)
It's working fine, but now we have to wait. The error occurs after a while.

thorstenkramm picture thorstenkramm on 14 Aug 2017
🎉1

@thorstenkramm Just noticed basicauth /admin admin izeeBahW9pee is that the real password?

wader picture wader on 14 Aug 2017

@wader Thanks for the hint. I changed that now.

thorstenkramm picture thorstenkramm on 14 Aug 2017

馃憤

wader picture wader on 14 Aug 2017

Excellent, I await your report in a couple of days!

mholt picture mholt on 15 Aug 2017

@thorstenkramm So, what's the verdict. You should have seen errors by now. Any troubles?

mholt picture mholt on 22 Aug 2017

No errors. Since you published the new version we are running Caddy 0.10.6 (+b699a17 Mon Aug 14 15:46:16 UTC 2017) on our production server.
No errors. No complaints from users.
Thanks a lot for your very quick reaction.

thorstenkramm picture thorstenkramm on 22 Aug 2017
🎉1

Yay, I'm having no regressions in my production testing either (yes, I just said "production testing"). So I'll merge that change and it'll go out in the next release. Thanks!

mholt picture mholt on 22 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

xfzka picture xfzka  路  3Comments
la0wei picture la0wei  路  3Comments
billop picture billop  路  3Comments
aeroxy picture aeroxy  路  3Comments
wayneashleyberry picture wayneashleyberry  路  3Comments