It is fixed again. > On 13 Oct 2019, at 12:17, Matthias Fischer wrote: > > On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote: >> Hello Matthias, > > Hi Peter, > >> thanks for noticing this. > > No problem - should I open a "Bugzilla" for this? Yes, you can do that if you want to in the Infrastructure section. > > Best, > Matthias > >> This happens if a server presents a certificate with the "OCSP must stapling" >> flag set, but does not supply valid OCSP information at the same time. Since >> OCSP has some major disadvantages if used by clients (DoS vs. fail-open >> behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered >> to be a better option. >> >> As far as I am concerned, we have those flag set on all of our certificates >> except for mail01, as mail server usually do not support OCSP. >> >> I can confirm visiting https://patchwork.ipfire.org/ shows the same error, >> in several browsers and from several countries. Forum, Wiki, et al. seem to >> work fine. This looks like a server configuration issue, the certificates >> issued by Let's Encrypt are fine. >> >> @Michael: Could you have a look at this? >> >> Thanks, and best regards, >> Peter Müller >> >> >>> Hi, >>> >>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page >>> several times doesn't help. Firefox 69.0.3 keeps telling me: >>> >>> ***SNIP*** >>> Secure Connection Failed >>> >>> An error occurred during a connection to patchwork.ipfire.org. A >>> required TLS feature is missing. Error code: >>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING >>> >>> The page you are trying to view cannot be shown because the >>> authenticity of the received data could not be verified. >>> Please contact the website owners to inform them of this problem. >>> ***SNAP*** >>> >>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to >>> "false" temporarily fixes this, but could it be that there is a problem >>> with the "Let's Encrypt" certificate!? >>> >>> Can anyone confirm? >>> >>> Best, >>> Matthias >>> >>> P.S.: Possible solution (german!) >>> => >>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/ >>> >> >