patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 900 bytes --]

Hi,

today, suddenly patchwork.ipfire.org stopped working. Reloading the page
several times doesn't help. Firefox 69.0.3 keeps telling me:

***SNIP***
Secure Connection Failed

An error occurred during a connection to patchwork.ipfire.org. A
required TLS feature is missing. Error code:
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

    The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.
***SNAP***

Setting "security.ssl.enable_ocsp_must_staple" in about:config to
"false" temporarily fixes this, but could it be that there is a problem
with the "Let's Encrypt" certificate!?

Can anyone confirm?

Best,
Matthias

P.S.: Possible solution (german!)
=>
https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/

patchwork.ipfire.org does not supply OCSP information (was: Re: patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING)

[peter.mueller]

[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]

Hello Matthias,

thanks for noticing this.

This happens if a server presents a certificate with the "OCSP must stapling"
flag set, but does not supply valid OCSP information at the same time. Since
OCSP has some major disadvantages if used by clients (DoS vs. fail-open
behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered
to be a better option.

As far as I am concerned, we have those flag set on all of our certificates
except for mail01, as mail server usually do not support OCSP.

I can confirm visiting https://patchwork.ipfire.org/ shows the same error,
in several browsers and from several countries. Forum, Wiki, et al. seem to
work fine. This looks like a server configuration issue, the certificates
issued by Let's Encrypt are fine.

@Michael: Could you have a look at this?

Thanks, and best regards,
Peter Müller


> Hi,
> 
> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
> several times doesn't help. Firefox 69.0.3 keeps telling me:
> 
> ***SNIP***
> Secure Connection Failed
> 
> An error occurred during a connection to patchwork.ipfire.org. A
> required TLS feature is missing. Error code:
> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
> 
>     The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.
>     Please contact the website owners to inform them of this problem.
> ***SNAP***
> 
> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
> "false" temporarily fixes this, but could it be that there is a problem
> with the "Let's Encrypt" certificate!?
> 
> Can anyone confirm?
> 
> Best,
> Matthias
> 
> P.S.: Possible solution (german!)
> =>
> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/
> 

Re: patchwork.ipfire.org does not supply OCSP information

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 2065 bytes --]

On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote:
> Hello Matthias,

Hi Peter,

> thanks for noticing this.

No problem - should I open a "Bugzilla" for this?

Best,
Matthias

> This happens if a server presents a certificate with the "OCSP must stapling"
> flag set, but does not supply valid OCSP information at the same time. Since
> OCSP has some major disadvantages if used by clients (DoS vs. fail-open
> behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered
> to be a better option.
> 
> As far as I am concerned, we have those flag set on all of our certificates
> except for mail01, as mail server usually do not support OCSP.
> 
> I can confirm visiting https://patchwork.ipfire.org/ shows the same error,
> in several browsers and from several countries. Forum, Wiki, et al. seem to
> work fine. This looks like a server configuration issue, the certificates
> issued by Let's Encrypt are fine.
> 
> @Michael: Could you have a look at this?
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hi,
>> 
>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
>> several times doesn't help. Firefox 69.0.3 keeps telling me:
>> 
>> ***SNIP***
>> Secure Connection Failed
>> 
>> An error occurred during a connection to patchwork.ipfire.org. A
>> required TLS feature is missing. Error code:
>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>> 
>>     The page you are trying to view cannot be shown because the
>> authenticity of the received data could not be verified.
>>     Please contact the website owners to inform them of this problem.
>> ***SNAP***
>> 
>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
>> "false" temporarily fixes this, but could it be that there is a problem
>> with the "Let's Encrypt" certificate!?
>> 
>> Can anyone confirm?
>> 
>> Best,
>> Matthias
>> 
>> P.S.: Possible solution (german!)
>> =>
>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/
>> 
> 

Re: patchwork.ipfire.org does not supply OCSP information

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2323 bytes --]

It is fixed again.

> On 13 Oct 2019, at 12:17, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote:
>> Hello Matthias,
> 
> Hi Peter,
> 
>> thanks for noticing this.
> 
> No problem - should I open a "Bugzilla" for this?

Yes, you can do that if you want to in the Infrastructure section.

> 
> Best,
> Matthias
> 
>> This happens if a server presents a certificate with the "OCSP must stapling"
>> flag set, but does not supply valid OCSP information at the same time. Since
>> OCSP has some major disadvantages if used by clients (DoS vs. fail-open
>> behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered
>> to be a better option.
>> 
>> As far as I am concerned, we have those flag set on all of our certificates
>> except for mail01, as mail server usually do not support OCSP.
>> 
>> I can confirm visiting https://patchwork.ipfire.org/ shows the same error,
>> in several browsers and from several countries. Forum, Wiki, et al. seem to
>> work fine. This looks like a server configuration issue, the certificates
>> issued by Let's Encrypt are fine.
>> 
>> @Michael: Could you have a look at this?
>> 
>> Thanks, and best regards,
>> Peter Müller
>> 
>> 
>>> Hi,
>>> 
>>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
>>> several times doesn't help. Firefox 69.0.3 keeps telling me:
>>> 
>>> ***SNIP***
>>> Secure Connection Failed
>>> 
>>> An error occurred during a connection to patchwork.ipfire.org. A
>>> required TLS feature is missing. Error code:
>>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>> 
>>>    The page you are trying to view cannot be shown because the
>>> authenticity of the received data could not be verified.
>>>    Please contact the website owners to inform them of this problem.
>>> ***SNAP***
>>> 
>>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
>>> "false" temporarily fixes this, but could it be that there is a problem
>>> with the "Let's Encrypt" certificate!?
>>> 
>>> Can anyone confirm?
>>> 
>>> Best,
>>> Matthias
>>> 
>>> P.S.: Possible solution (german!)
>>> =>
>>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/
>>> 
>> 
> 

Re: patchwork.ipfire.org does not supply OCSP information

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 2510 bytes --]

On 13.10.2019 18:01, Michael Tremer wrote:
> It is fixed again.

Yes, it's fixed - tested and confirmed. Thanks again! ;-)

>> On 13 Oct 2019, at 12:17, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote:
>>> Hello Matthias,
>> 
>> Hi Peter,
>> 
>>> thanks for noticing this.
>> 
>> No problem - should I open a "Bugzilla" for this?
> 
> Yes, you can do that if you want to in the Infrastructure section.
> 
>> 
>> Best,
>> Matthias
>> 
>>> This happens if a server presents a certificate with the "OCSP must stapling"
>>> flag set, but does not supply valid OCSP information at the same time. Since
>>> OCSP has some major disadvantages if used by clients (DoS vs. fail-open
>>> behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered
>>> to be a better option.
>>> 
>>> As far as I am concerned, we have those flag set on all of our certificates
>>> except for mail01, as mail server usually do not support OCSP.
>>> 
>>> I can confirm visiting https://patchwork.ipfire.org/ shows the same error,
>>> in several browsers and from several countries. Forum, Wiki, et al. seem to
>>> work fine. This looks like a server configuration issue, the certificates
>>> issued by Let's Encrypt are fine.
>>> 
>>> @Michael: Could you have a look at this?
>>> 
>>> Thanks, and best regards,
>>> Peter Müller
>>> 
>>> 
>>>> Hi,
>>>> 
>>>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
>>>> several times doesn't help. Firefox 69.0.3 keeps telling me:
>>>> 
>>>> ***SNIP***
>>>> Secure Connection Failed
>>>> 
>>>> An error occurred during a connection to patchwork.ipfire.org. A
>>>> required TLS feature is missing. Error code:
>>>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>>> 
>>>>    The page you are trying to view cannot be shown because the
>>>> authenticity of the received data could not be verified.
>>>>    Please contact the website owners to inform them of this problem.
>>>> ***SNAP***
>>>> 
>>>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
>>>> "false" temporarily fixes this, but could it be that there is a problem
>>>> with the "Let's Encrypt" certificate!?
>>>> 
>>>> Can anyone confirm?
>>>> 
>>>> Best,
>>>> Matthias
>>>> 
>>>> P.S.: Possible solution (german!)
>>>> =>
>>>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/
>>>> 
>>> 
>> 
> 
> 

Re: patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1366 bytes --]

Hi,

Thank your for raising this.

This was caused by haproxy which could not be reloaded because I played around with the IPv6 configuration of our main firewall in Hannover. Therefore the updated OCSP responses were not delivered.

It is fixed now and you should change your setting back.

Best,
-Michael

> On 13 Oct 2019, at 00:25, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi,
> 
> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
> several times doesn't help. Firefox 69.0.3 keeps telling me:
> 
> ***SNIP***
> Secure Connection Failed
> 
> An error occurred during a connection to patchwork.ipfire.org. A
> required TLS feature is missing. Error code:
> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
> 
>    The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.
>    Please contact the website owners to inform them of this problem.
> ***SNAP***
> 
> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
> "false" temporarily fixes this, but could it be that there is a problem
> with the "Let's Encrypt" certificate!?
> 
> Can anyone confirm?
> 
> Best,
> Matthias
> 
> P.S.: Possible solution (german!)
> =>
> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/

Re: patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 1497 bytes --]

Thanks for fixing! ;-)

On 13.10.2019 15:05, Michael Tremer wrote:
> Hi,
> 
> Thank your for raising this.
> 
> This was caused by haproxy which could not be reloaded because I played around with the IPv6 configuration of our main firewall in Hannover. Therefore the updated OCSP responses were not delivered.
> 
> It is fixed now and you should change your setting back.
> 
> Best,
> -Michael
> 
>> On 13 Oct 2019, at 00:25, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> Hi,
>> 
>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
>> several times doesn't help. Firefox 69.0.3 keeps telling me:
>> 
>> ***SNIP***
>> Secure Connection Failed
>> 
>> An error occurred during a connection to patchwork.ipfire.org. A
>> required TLS feature is missing. Error code:
>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>> 
>>    The page you are trying to view cannot be shown because the
>> authenticity of the received data could not be verified.
>>    Please contact the website owners to inform them of this problem.
>> ***SNAP***
>> 
>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
>> "false" temporarily fixes this, but could it be that there is a problem
>> with the "Let's Encrypt" certificate!?
>> 
>> Can anyone confirm?
>> 
>> Best,
>> Matthias
>> 
>> P.S.: Possible solution (german!)
>> =>
>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/
> 
>