trouble with firefox and ocsp-must-staple
Hi!
I've been using Chrome with my site, which works just fine. I manually create SSL certificates with Let's Encrypt. I have the OCSP must staple set. In Chrome, I can load my site just fine. In Firefox, I cannot. I receive the following error:
This is related to OCSP stapling. If I temporarily set security.ssl.enable_ocsp_must_staple in about:config in Firefox to false, I can visit my page. So I'm looking through the Apache configuration and see:
I'm using EasyApache 4 and I ran /usr/sbin/apachectl -M and verified that socache_shmcb_module is listed, and it is, as shared. I've verified the server and certificates are good by running:
That WARNING worries me a bit and might be part of the problem. I haven't researched that yet. Any ideas what might be going on here and how to go about fixing it on the server? Thanks!
An error occurred during a connection to www.example.com:2087. A required
TLS feature is missing.
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
This is related to OCSP stapling. If I temporarily set security.ssl.enable_ocsp_must_staple in about:config in Firefox to false, I can visit my page. So I'm looking through the Apache configuration and see:
SSLUseStapling on
SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000)
# Prevent browsers from failing if an OCSP server is temporarily broken.
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
SSLStaplingFakeTryLater off
SSLStaplingResponderTimeout 3
SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000)
I'm using EasyApache 4 and I ran /usr/sbin/apachectl -M and verified that socache_shmcb_module is listed, and it is, as shared. I've verified the server and certificates are good by running:
openssl ocsp -issuer chain.pem -cert cert.pem -text -verify_other \
chain.pem -url http://ocsp.int-x3.letsencrypt.org/ -header "Host" \
"ocsp.int-x3.letsencrypt.org"
....
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Aug 19 00:03:00 2017 GMT
...
WARNING: no nonce in response
Response verify OK
cert.pem: good
This Update: Aug 19 00:00:00 2017 GMT
Next Update: Aug 26 00:00:00 2017 GMT
That WARNING worries me a bit and might be part of the problem. I haven't researched that yet. Any ideas what might be going on here and how to go about fixing it on the server? Thanks!
-
I would like to add that it is JUST the cPanel services that I cannot access through Firefox. My normal site, I can go there just fine. But any of the cPanel subdomains like cpanel.example.com, webmail.example.com, whm.example.com, they don't go. I have proxy subdomains turned off and I've manually created the subdomains myself and forward any visitors to the proper ports. I'm wondering if the OCSP stuff isn't being honored because of this....that would really suck if that was the case. To my knowledge, I don't think there's away to configure AutoSSL with all the options that we have when we use Let's Encrypt directly. Unless things have changed. To my knowledge, there's no ocsp-must-staple option when using AutoSSL. If there where features like that, I would use the proxy subdomains instead of doing it manually. This is what I see what I try using openssl with one of the cPanel secure ports: openssl s_client -connect example.com:2087 -status CONNECTED(00000003) OCSP response: no response sent depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.example.com verify return:1 --- Certificate chain 0 s:/CN=www.example.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIF4jCCBMqgAwIBAgISBLAOMMBuLTZzGQhJ/GHlKw5XMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MDMyMzAxMDBaFw0x NzExMDEyMzAxMDBaMBkxFzAVBgNVBAMTDnd3dy5qZXRiYnMuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1uuVr+FqzpSYdt9vDolkgFEmaDDfjPjw C+KktOqLqjs97psdYvK/BsLgRlC6IjIYWDhtyGhQGo/OOdKqoxb2mgm96GAPXie1 //Y8I5IY8umiw6MEbNZ1MtWKZkLWilY9qyYiiFm6+cKrqqHivHpdgc0HWDWmU/Kc xR9Uje7Vj2R3Ge636tX+Q4A3l0ZP2jtVgtFyZswDMga7/Zzmr9dia1r67vBtXCLN GR4vamWX6yHVdTd7fGEOJAzD1052sgHbsr2TOpxBHvyN8jrpTgrEc30C0Y4Ql6yI zmY9Q1Qejey4ec8nuxBAT1Ii/OzAU9rKTEHpPAKZZ+iLc7R4lSWarQIDAQABo4IC 8TCCAu0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRZ/DDpe3eu2fyTneNZmrTyMFq7 xzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v cmcvMIHoBgNVHREEgeAwgd2CEWNwYW5lbC5qZXRiYnMuY29tghZjcGNhbGVuZGFy cy5qZXRiYnMuY29tghVjcGNvbnRhY3RzLmpldGJicy5jb22CE2ZyYW5rbGluLmpl dGJicy5jb22CDmdpdC5qZXRiYnMuY29tgg9pcHY0LmpldGJicy5jb22CD2lwdjYu amV0YmJzLmNvbYIKamV0YmJzLmNvbYISd2ViZGlzay5qZXRiYnMuY29tghJ3ZWJt YWlsLmpldGJicy5jb22CDndobS5qZXRiYnMuY29tgg53d3cuamV0YmJzLmNvbTAR BggrBgEFBQcBGAQFMAMCAQUwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysG AQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0 Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5 IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBh Y2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBo dHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsF AAOCAQEACmuatjIRcchOkynDEif105UpiKTWTVq+3h6t+vZup2csdxP2usGoKvl4 65T6pASmBYDtS8U2AtB+AgUODERJ6DGSZRLwWzxM94qB6G7J3mM7vB2boourqani pRFQkPLLbJ4arPfrFqgQ0aiOal/RElAd59LCmceOdJrLhRJOzCgh0p7a0eRSiHGW zcbZnrnHyIadyrblijEJIS0sIa6/xXbOyi7hGh3tXMBcmitHIq324Kakuc/RQGVy AtIV/bLtTsorTthYrM67ShEV9XeYAdZmetfIjbJiY1ecQ6FVJ2iVxjskMaC23Q1i ym4l3nJtIbqA3vjIGtF+QkV6C9U5/w== -----END CERTIFICATE----- subject=/CN=www.example.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 3346 bytes and written 382 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: ED1E21F2473DBEB8C755D1DD64234CDF4325A1F47F7A15D7497694019E59F533 Session-ID-ctx: Master-Key: 12A445B481186960CE8628DB80B677C29F86258073F16947411B6BAB082CCB445943EA369CEE9C8C3ECCA71B71140311 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 70 2f b7 6a 7b ca 2e c6-25 8a 18 a9 67 ef bb da p/.j{...%...g... 0010 - 7e a5 15 e9 51 e4 96 7f-9a 3d 83 04 a9 6e f1 49 ~...Q....=...n.I 0020 - 09 5a 90 9f 2f e0 5b 22-9a 7f a9 1f 94 e5 28 dc .Z../.["......(. 0030 - ad 23 e0 24 09 c4 fb cf-76 29 70 b5 5e fe cf 28 .#.$....v)p.^..( 0040 - 83 23 0a 55 85 20 7b 0f-76 87 31 ba e9 16 3a a8 .#.U. {.v.1...:. 0050 - 15 99 8d 1c 88 33 33 e9-5f 68 20 6c 90 46 d6 d3 .....33._h l.F.. 0060 - 23 18 33 bf de f9 66 a8-75 80 99 55 13 25 68 0a #.3...f.u..U.%h. 0070 - 0b 05 31 5e 1f 63 49 38-79 a2 54 d0 51 7a 5c b3 ..1^.cI8y.T.Qz\. 0080 - 5d a3 30 2e 62 cd d2 ec-56 db 6c e9 ff 3a b4 a5 ].0.b...V.l..:.. 0090 - 24 f0 b2 27 c6 18 34 b4-5b 08 07 98 a6 4d f6 08 $..'..4.[....M.. Start Time: 1503289502 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed
Thanks.0 -
Hi @Spork Schivago, The socache_shmcb_module section of your Apache configuration file matches what I see on a test system, however I'm unable to reproduce the issue you have described. Could you open a support ticket using the link in my signature so we can take a closer look to see what's happening? You can post the ticket number here and we will update this thread with the outcome. Thanks! 0 -
Okay @cPanelMichael, but I think I might know what's going on. I'm thinking it's how I have the proxy-subdomains turned off and how I manually redirect traffic from the various cpanel service subdomains to the cpanel ports. I think if I turn proxy-subdomains on, and use AutoSSL, problems might fix themselves.... I don't think I need to manually create certificates anymore. I think AutoSSL might have matured enough now where it supports all the features I need. Could you please take a look at my post here and just see if AutoSSL fulfills my requirements? I'm a bit nervous playing around with it. I know there's a limit of requests for Let's Encrypt and I'd hate to use up that limit by playing with AutoSSL and everything, especially since I'm on the preloading list. Thanks! 0 -
Could you please take a look at my post here and just see if AutoSSL fulfills my requirements? I'm a bit nervous playing around with it. I know there's a limit of requests for Let's Encrypt and I'd hate to use up that limit by playing with AutoSSL and everything, especially since I'm on the preloading list.
I've sent a reply to that thread. Thanks!0 -
I've sent a reply to that thread. Thanks!
Solved the problem.0
Please sign in to leave a comment.
Comments
5 comments