Re: patchwork.ipfire.org does not supply OCSP information

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2323 bytes --]

It is fixed again.

> On 13 Oct 2019, at 12:17, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote:
>> Hello Matthias,
> 
> Hi Peter,
> 
>> thanks for noticing this.
> 
> No problem - should I open a "Bugzilla" for this?

Yes, you can do that if you want to in the Infrastructure section.

> 
> Best,
> Matthias
> 
>> This happens if a server presents a certificate with the "OCSP must stapling"
>> flag set, but does not supply valid OCSP information at the same time. Since
>> OCSP has some major disadvantages if used by clients (DoS vs. fail-open
>> behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered
>> to be a better option.
>> 
>> As far as I am concerned, we have those flag set on all of our certificates
>> except for mail01, as mail server usually do not support OCSP.
>> 
>> I can confirm visiting https://patchwork.ipfire.org/ shows the same error,
>> in several browsers and from several countries. Forum, Wiki, et al. seem to
>> work fine. This looks like a server configuration issue, the certificates
>> issued by Let's Encrypt are fine.
>> 
>> @Michael: Could you have a look at this?
>> 
>> Thanks, and best regards,
>> Peter Müller
>> 
>> 
>>> Hi,
>>> 
>>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
>>> several times doesn't help. Firefox 69.0.3 keeps telling me:
>>> 
>>> ***SNIP***
>>> Secure Connection Failed
>>> 
>>> An error occurred during a connection to patchwork.ipfire.org. A
>>> required TLS feature is missing. Error code:
>>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>> 
>>>    The page you are trying to view cannot be shown because the
>>> authenticity of the received data could not be verified.
>>>    Please contact the website owners to inform them of this problem.
>>> ***SNAP***
>>> 
>>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
>>> "false" temporarily fixes this, but could it be that there is a problem
>>> with the "Let's Encrypt" certificate!?
>>> 
>>> Can anyone confirm?
>>> 
>>> Best,
>>> Matthias
>>> 
>>> P.S.: Possible solution (german!)
>>> =>
>>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/
>>> 
>> 
>