Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

trouble with firefox and ocsp-must-staple

Discussion in 'Security' started by Spork Schivago, Aug 20, 2017.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hi!

    I've been using Chrome with my site, which works just fine. I manually create SSL certificates with Let's Encrypt. I have the OCSP must staple set. In Chrome, I can load my site just fine. In Firefox, I cannot. I receive the following error:
    Code:
    An error occurred during a connection to www.example.com:2087. A required
    TLS feature is missing.
    
    Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
    
    This is related to OCSP stapling. If I temporarily set security.ssl.enable_ocsp_must_staple in about:config in Firefox to false, I can visit my page.

    So I'm looking through the Apache configuration and see:
    Code:
    <IfModule socache_shmcb_module>
        SSLUseStapling on
        SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000)
    
        # Prevent browsers from failing if an OCSP server is temporarily broken.
        SSLStaplingReturnResponderErrors off
        SSLStaplingErrorCacheTimeout 60
        SSLStaplingFakeTryLater off
        SSLStaplingResponderTimeout 3
        SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000)
    </IfModule>
    
    I'm using EasyApache 4 and I ran /usr/sbin/apachectl -M and verified that socache_shmcb_module is listed, and it is, as shared.

    I've verified the server and certificates are good by running:
    Code:
    openssl ocsp -issuer chain.pem -cert cert.pem -text -verify_other \
       chain.pem -url http://ocsp.int-x3.letsencrypt.org/ -header "Host" \
       "ocsp.int-x3.letsencrypt.org"
    ....
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Produced At: Aug 19 00:03:00 2017 GMT
    ...
    WARNING: no nonce in response
    Response verify OK
    cert.pem: good
        This Update: Aug 19 00:00:00 2017 GMT
        Next Update: Aug 26 00:00:00 2017 GMT
    
    That WARNING worries me a bit and might be part of the problem. I haven't researched that yet.

    Any ideas what might be going on here and how to go about fixing it on the server?

    Thanks!
     
    #1 Spork Schivago, Aug 20, 2017
    Last edited: Aug 20, 2017
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I would like to add that it is JUST the cPanel services that I cannot access through Firefox. My normal site, I can go there just fine. But any of the cPanel subdomains like cpanel.example.com, webmail.example.com, whm.example.com, they don't go.

    I have proxy subdomains turned off and I've manually created the subdomains myself and forward any visitors to the proper ports. I'm wondering if the OCSP stuff isn't being honored because of this....that would really suck if that was the case.

    To my knowledge, I don't think there's away to configure AutoSSL with all the options that we have when we use Let's Encrypt directly. Unless things have changed. To my knowledge, there's no ocsp-must-staple option when using AutoSSL. If there where features like that, I would use the proxy subdomains instead of doing it manually.


    This is what I see what I try using openssl with one of the cPanel secure ports:
    Code:
    openssl s_client -connect example.com:2087 -status
    CONNECTED(00000003)
    OCSP response: no response sent
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = www.example.com
    verify return:1
    ---
    Certificate chain
     0 s:/CN=www.example.com
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIF4jCCBMqgAwIBAgISBLAOMMBuLTZzGQhJ/GHlKw5XMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MDMyMzAxMDBaFw0x
    NzExMDEyMzAxMDBaMBkxFzAVBgNVBAMTDnd3dy5qZXRiYnMuY29tMIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1uuVr+FqzpSYdt9vDolkgFEmaDDfjPjw
    C+KktOqLqjs97psdYvK/BsLgRlC6IjIYWDhtyGhQGo/OOdKqoxb2mgm96GAPXie1
    //Y8I5IY8umiw6MEbNZ1MtWKZkLWilY9qyYiiFm6+cKrqqHivHpdgc0HWDWmU/Kc
    xR9Uje7Vj2R3Ge636tX+Q4A3l0ZP2jtVgtFyZswDMga7/Zzmr9dia1r67vBtXCLN
    GR4vamWX6yHVdTd7fGEOJAzD1052sgHbsr2TOpxBHvyN8jrpTgrEc30C0Y4Ql6yI
    zmY9Q1Qejey4ec8nuxBAT1Ii/OzAU9rKTEHpPAKZZ+iLc7R4lSWarQIDAQABo4IC
    8TCCAu0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
    BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRZ/DDpe3eu2fyTneNZmrTyMFq7
    xzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
    MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
    cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
    cmcvMIHoBgNVHREEgeAwgd2CEWNwYW5lbC5qZXRiYnMuY29tghZjcGNhbGVuZGFy
    cy5qZXRiYnMuY29tghVjcGNvbnRhY3RzLmpldGJicy5jb22CE2ZyYW5rbGluLmpl
    dGJicy5jb22CDmdpdC5qZXRiYnMuY29tgg9pcHY0LmpldGJicy5jb22CD2lwdjYu
    amV0YmJzLmNvbYIKamV0YmJzLmNvbYISd2ViZGlzay5qZXRiYnMuY29tghJ3ZWJt
    YWlsLmpldGJicy5jb22CDndobS5qZXRiYnMuY29tgg53d3cuamV0YmJzLmNvbTAR
    BggrBgEFBQcBGAQFMAMCAQUwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysG
    AQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
    Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5
    IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBh
    Y2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBo
    dHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsF
    AAOCAQEACmuatjIRcchOkynDEif105UpiKTWTVq+3h6t+vZup2csdxP2usGoKvl4
    65T6pASmBYDtS8U2AtB+AgUODERJ6DGSZRLwWzxM94qB6G7J3mM7vB2boourqani
    pRFQkPLLbJ4arPfrFqgQ0aiOal/RElAd59LCmceOdJrLhRJOzCgh0p7a0eRSiHGW
    zcbZnrnHyIadyrblijEJIS0sIa6/xXbOyi7hGh3tXMBcmitHIq324Kakuc/RQGVy
    AtIV/bLtTsorTthYrM67ShEV9XeYAdZmetfIjbJiY1ecQ6FVJ2iVxjskMaC23Q1i
    ym4l3nJtIbqA3vjIGtF+QkV6C9U5/w==
    -----END CERTIFICATE-----
    subject=/CN=www.example.com
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 3346 bytes and written 382 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: ED1E21F2473DBEB8C755D1DD64234CDF4325A1F47F7A15D7497694019E59F533
        Session-ID-ctx: 
        Master-Key: 12A445B481186960CE8628DB80B677C29F86258073F16947411B6BAB082CCB445943EA369CEE9C8C3ECCA71B71140311
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 70 2f b7 6a 7b ca 2e c6-25 8a 18 a9 67 ef bb da   p/.j{...%...g...
        0010 - 7e a5 15 e9 51 e4 96 7f-9a 3d 83 04 a9 6e f1 49   ~...Q....=...n.I
        0020 - 09 5a 90 9f 2f e0 5b 22-9a 7f a9 1f 94 e5 28 dc   .Z../.["......(.
        0030 - ad 23 e0 24 09 c4 fb cf-76 29 70 b5 5e fe cf 28   .#.$....v)p.^..(
        0040 - 83 23 0a 55 85 20 7b 0f-76 87 31 ba e9 16 3a a8   .#.U. {.v.1...:.
        0050 - 15 99 8d 1c 88 33 33 e9-5f 68 20 6c 90 46 d6 d3   .....33._h l.F..
        0060 - 23 18 33 bf de f9 66 a8-75 80 99 55 13 25 68 0a   #.3...f.u..U.%h.
        0070 - 0b 05 31 5e 1f 63 49 38-79 a2 54 d0 51 7a 5c b3   ..1^.cI8y.T.Qz\.
        0080 - 5d a3 30 2e 62 cd d2 ec-56 db 6c e9 ff 3a b4 a5   ].0.b...V.l..:..
        0090 - 24 f0 b2 27 c6 18 34 b4-5b 08 07 98 a6 4d f6 08   $..'..4.[....M..
    
        Start Time: 1503289502
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    closed
    
    Thanks.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi @Spork Schivago,

    The socache_shmcb_module section of your Apache configuration file matches what I see on a test system, however I'm unable to reproduce the issue you have described. Could you open a support ticket using the link in my signature so we can take a closer look to see what's happening? You can post the ticket number here and we will update this thread with the outcome.

    Thanks!
     
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Okay @cPanelMichael, but I think I might know what's going on. I'm thinking it's how I have the proxy-subdomains turned off and how I manually redirect traffic from the various cpanel service subdomains to the cpanel ports. I think if I turn proxy-subdomains on, and use AutoSSL, problems might fix themselves....

    I don't think I need to manually create certificates anymore. I think AutoSSL might have matured enough now where it supports all the features I need.

    Could you please take a look at my post here and just see if AutoSSL fulfills my requirements? I'm a bit nervous playing around with it. I know there's a limit of requests for Let's Encrypt and I'd hate to use up that limit by playing with AutoSSL and everything, especially since I'm on the preloading list.

    Thanks!
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I've sent a reply to that thread.

    Thanks!
     
Loading...

Share This Page