On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote:
> Hello Matthias,

Hi Peter,

> thanks for noticing this.

No problem - should I open a "Bugzilla" for this?

Best,
Matthias

> This happens if a server presents a certificate with the "OCSP must stapling"
> flag set, but does not supply valid OCSP information at the same time. Since
> OCSP has some major disadvantages if used by clients (DoS vs. fail-open
> behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered
> to be a better option.
> 
> As far as I am concerned, we have those flag set on all of our certificates
> except for mail01, as mail server usually do not support OCSP.
> 
> I can confirm visiting https://patchwork.ipfire.org/ shows the same error,
> in several browsers and from several countries. Forum, Wiki, et al. seem to
> work fine. This looks like a server configuration issue, the certificates
> issued by Let's Encrypt are fine.
> 
> @Michael: Could you have a look at this?
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hi,
>> 
>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
>> several times doesn't help. Firefox 69.0.3 keeps telling me:
>> 
>> ***SNIP***
>> Secure Connection Failed
>> 
>> An error occurred during a connection to patchwork.ipfire.org. A
>> required TLS feature is missing. Error code:
>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>> 
>>     The page you are trying to view cannot be shown because the
>> authenticity of the received data could not be verified.
>>     Please contact the website owners to inform them of this problem.
>> ***SNAP***
>> 
>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
>> "false" temporarily fixes this, but could it be that there is a problem
>> with the "Let's Encrypt" certificate!?
>> 
>> Can anyone confirm?
>> 
>> Best,
>> Matthias
>> 
>> P.S.: Possible solution (german!)
>> =>
>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/
>> 
>