On 13.10.2019 18:01, Michael Tremer wrote: > It is fixed again. Yes, it's fixed - tested and confirmed. Thanks again! ;-) >> On 13 Oct 2019, at 12:17, Matthias Fischer wrote: >> >> On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote: >>> Hello Matthias, >> >> Hi Peter, >> >>> thanks for noticing this. >> >> No problem - should I open a "Bugzilla" for this? > > Yes, you can do that if you want to in the Infrastructure section. > >> >> Best, >> Matthias >> >>> This happens if a server presents a certificate with the "OCSP must stapling" >>> flag set, but does not supply valid OCSP information at the same time. Since >>> OCSP has some major disadvantages if used by clients (DoS vs. fail-open >>> behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered >>> to be a better option. >>> >>> As far as I am concerned, we have those flag set on all of our certificates >>> except for mail01, as mail server usually do not support OCSP. >>> >>> I can confirm visiting https://patchwork.ipfire.org/ shows the same error, >>> in several browsers and from several countries. Forum, Wiki, et al. seem to >>> work fine. This looks like a server configuration issue, the certificates >>> issued by Let's Encrypt are fine. >>> >>> @Michael: Could you have a look at this? >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> Hi, >>>> >>>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page >>>> several times doesn't help. Firefox 69.0.3 keeps telling me: >>>> >>>> ***SNIP*** >>>> Secure Connection Failed >>>> >>>> An error occurred during a connection to patchwork.ipfire.org. A >>>> required TLS feature is missing. Error code: >>>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING >>>> >>>> The page you are trying to view cannot be shown because the >>>> authenticity of the received data could not be verified. >>>> Please contact the website owners to inform them of this problem. >>>> ***SNAP*** >>>> >>>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to >>>> "false" temporarily fixes this, but could it be that there is a problem >>>> with the "Let's Encrypt" certificate!? >>>> >>>> Can anyone confirm? >>>> >>>> Best, >>>> Matthias >>>> >>>> P.S.: Possible solution (german!) >>>> => >>>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/ >>>> >>> >> > >