Firefox/NSS throws this when the server returned an OCSP Stapling response with nextUpdate in the past (stale). Usual cause — the server's OCSP cache expired and nginx/apache keeps stapling the old answer. Server-side fix: (1) make sure OCSP auto-populate works, (2) nginx ssl_stapling_verify on + resolver, (3) certbot renew --deploy-hook reloads nginx.
Below: details, example, related, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
# Verify OCSP stapling works
$ echo | openssl s_client -connect host:443 -status 2>/dev/null | \
grep -E "OCSP response|thisUpdate|nextUpdate"
# nginx config
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
# Force refresh OCSP cache — restart
$ systemctl reload nginxThe SEC_ERROR_OCSP_OLD_RESPONSE error in Firefox indicates that the browser has received an outdated response from the Online Certificate Status Protocol (OCSP) server when checking the revocation status of a digital certificate. To resolve this, ensure that your server is configured to send updated OCSP responses, or adjust the OCSP settings in Firefox to bypass this check temporarily while troubleshooting.
The SEC_ERROR_OCSP_OLD_RESPONSE error primarily arises due to outdated or misconfigured OCSP responses from the certificate authority (CA) or the server hosting the certificate. This issue can occur in various scenarios:
To address these root causes, it is essential to regularly monitor and maintain your certificate configurations, ensuring that all OCSP responses are current and accessible.
To resolve the SEC_ERROR_OCSP_OLD_RESPONSE error, follow these practical steps:
openssl command to check the validity of your OCSP response. Run the following command:openssl ocsp -issuer -cert -url -textThis command will provide details about the OCSP response, including its freshness. Ensure that the response is not expired.
SSLUseStapling On
SSLStaplingResponder http://ocsp.example.com
SSLStaplingCache "shmcb:/var/run/ocsp-stapling-cache(128000)"This ensures that your server uses OCSP stapling, which reduces the need for clients to contact the OCSP server directly.
about:config in the address bar, search for security.OCSP.enabled, and set it to 0. This is not recommended for long-term use, as it compromises security.By following these steps, you should be able to effectively troubleshoot and resolve the SEC_ERROR_OCSP_OLD_RESPONSE error in Firefox, ensuring a smoother browsing experience for users accessing your web infrastructure.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeWithout stapling the client contacts OCSP itself → privacy leak + latency. Stapling = server pre-fetches and embeds it in the handshake.
Firefox — yes (security.OCSP.enabled=0 in about:config), but bad practice. Fix the server instead.
Chrome dropped hard OCSP enforcement long ago (CRLSets). Firefox is stricter. Safari — OCSP via Apple Sectigo.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.