Sec_error_ocsp_old_response on reverse proxy

1. Caddy version (caddy version):

$ caddy version
v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

My caddy is run as a systemd service, serving a static directory on one domain and reverse proxying to a backend passenger ruby container (with nginx and RoR included) on a subdomain.

a. System environment:

Linux adalab 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

b. Command:

$ ps aux | grep caddy
benben    4126  0.0  0.0  15492  1044 pts/3    S+   10:26   0:00 grep --color=auto caddy
caddy    30275  0.0  1.0 739712 42256 ?        Ssl  Jul08   1:52 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

# caddy.service
# For using Caddy with a config file.
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
# See for instructions.
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile


d. My complete Caddyfile or JSON config: {

        # static pages
        root * /home/foobar/webroot/

} {
        reverse_proxy localhost:8080

        # logging
        log {
                output file /var/log/caddy.log

3. The problem I’m having: works just fine, but visiting from FireFox generates a sec_error_ocsp_old_response error.

4. Error messages and/or full log output:

No error in the log.

5. What I already tried:

  • switching to another browser resolves the problem
  • disabling OCSP in FireFox resolves the problem
  • access to works fine

My guess would be as good as yours at this point. :slight_smile: What are the full logs, and how can I experience/reproduce this behavior? If you post the actual site that has the problem, that will help.

Also how’s your system clock?

1 Like

I just restarted caddy and the problem disappeared.

By the way, I happened to find that my /var/log/caddy.log has not been updated for almost two weeks since I upgraded to v2.1.1 because my previous old version did not support the log config syntax.

Is there anything wrong with my config now? Even after the restart, the log file is still not updated at all.

The caddy user might not have permissions to write to your log file?


I happened to see [WARNING] Stapling OCSP: no OCSP stapling for []: making OCSP request: Post "": dial tcp i/o timeout in the caddy log today, and realized that the OCSP stapling sometimes just fails on my server.

This may well be a firewall issue.

Yeah I believe you are right. When testing the config file I guess I run caddy as root and the log file was created as root owner as well. That’s why later on when caddy was run using systemd services (as user caddy), no more logs could be appended to that file.

I chowned and now it works perfectly.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.