Re: Problems with let's encrypt
On 21/09/2021 15:16, Rainer Jung wrote: Am 21.09.2021 um 14:39 schrieb Christopher Schultz: Jean-Frederic, On 9/21/21 08:17, jean-frederic clere wrote: On 19/09/2021 15:22, Christopher Schultz wrote: Jean-Frederic, On 9/19/21 03:09, jean-frederic clere wrote: Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On Does your certificate have the Must-Staple extension/feature in it? If the cert has the Must-Staple feature, then the server must provide stapling. Is it a surprise to you that your cert that this extension enabled? I think you have to specifically-request Must-Staple when requesting a cert from LE. May be it is related to that I am using mod_md in Apache httpd and just moved the certificate/key to use the pair in tomcat. And yes I have the Must-Staple in the certicate but I don't know why... If you had mod_md request the cert, I suspect it included "must staple" in the request, since mod_md should be performing the stapling internally. If you copied the cert from that environment into Tomcat, then you will likely have to enable stapling there, in Tomcat, too. -chris Default for MjustStaple in mod_md should be off, but it is configurable: http://httpd.apache.org/docs/2.4/en/mod/mod_md.html#mdmuststaple I have not checked, whether the default changed or whether the must staple of the old certificate that needs renewal comes into play. Correct I have: ServerAdmin jfcl...@gmail.com MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf MDomain jfclere.myddns.me MDMustStaple On So Yes I have MDMustStaple On and SSLUseStapling On in the httpd VirtualHost configuration. Note using MDRenewWindow 60s renew the cert and fix the "problem". If I have time I will looking how to add the SSLUseStapling to tomcat but that is probably not urgent ;-) Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Problems with let's encrypt
Am 21.09.2021 um 14:39 schrieb Christopher Schultz: Jean-Frederic, On 9/21/21 08:17, jean-frederic clere wrote: On 19/09/2021 15:22, Christopher Schultz wrote: Jean-Frederic, On 9/19/21 03:09, jean-frederic clere wrote: Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On Does your certificate have the Must-Staple extension/feature in it? If the cert has the Must-Staple feature, then the server must provide stapling. Is it a surprise to you that your cert that this extension enabled? I think you have to specifically-request Must-Staple when requesting a cert from LE. May be it is related to that I am using mod_md in Apache httpd and just moved the certificate/key to use the pair in tomcat. And yes I have the Must-Staple in the certicate but I don't know why... If you had mod_md request the cert, I suspect it included "must staple" in the request, since mod_md should be performing the stapling internally. If you copied the cert from that environment into Tomcat, then you will likely have to enable stapling there, in Tomcat, too. -chris Default for MjustStaple in mod_md should be off, but it is configurable: http://httpd.apache.org/docs/2.4/en/mod/mod_md.html#mdmuststaple I have not checked, whether the default changed or whether the must staple of the old certificate that needs renewal comes into play. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Problems with let's encrypt
Jean-Frederic, On 9/21/21 08:17, jean-frederic clere wrote: On 19/09/2021 15:22, Christopher Schultz wrote: Jean-Frederic, On 9/19/21 03:09, jean-frederic clere wrote: Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On Does your certificate have the Must-Staple extension/feature in it? If the cert has the Must-Staple feature, then the server must provide stapling. Is it a surprise to you that your cert that this extension enabled? I think you have to specifically-request Must-Staple when requesting a cert from LE. May be it is related to that I am using mod_md in Apache httpd and just moved the certificate/key to use the pair in tomcat. And yes I have the Must-Staple in the certicate but I don't know why... If you had mod_md request the cert, I suspect it included "must staple" in the request, since mod_md should be performing the stapling internally. If you copied the cert from that environment into Tomcat, then you will likely have to enable stapling there, in Tomcat, too. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Problems with let's encrypt
On 19/09/2021 15:22, Christopher Schultz wrote: Jean-Frederic, On 9/19/21 03:09, jean-frederic clere wrote: Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On Does your certificate have the Must-Staple extension/feature in it? If the cert has the Must-Staple feature, then the server must provide stapling. Is it a surprise to you that your cert that this extension enabled? I think you have to specifically-request Must-Staple when requesting a cert from LE. May be it is related to that I am using mod_md in Apache httpd and just moved the certificate/key to use the pair in tomcat. And yes I have the Must-Staple in the certicate but I don't know why... -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Problems with let's encrypt
Jean-Frederic, On 9/19/21 03:09, jean-frederic clere wrote: Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On Does your certificate have the Must-Staple extension/feature in it? If the cert has the Must-Staple feature, then the server must provide stapling. Is it a surprise to you that your cert that this extension enabled? I think you have to specifically-request Must-Staple when requesting a cert from LE. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Problems with let's encrypt
Hi, I have some problems with let's encrypt certificates and firefox, basically I get: Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING It looks like tomcat and tomcat-native are missing something with my certificate, the same certificate with with httpd. The work-around is security.ssl.enable_ocsp_must_staple=false in the firefox configuration. Has someone the same problem? I think it is related to +++ Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ +++ and SSLUseStapling On -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org