trouble with firefox and ocsp-must-staple

[Spork Schivago]

Hi!

I've been using Chrome with my site, which works just fine. I manually create SSL certificates with Let's Encrypt. I have the OCSP must staple set. In Chrome, I can load my site just fine. In Firefox, I cannot. I receive the following error:

An error occurred during a connection to www.example.com:2087. A required
TLS feature is missing.

Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

This is related to OCSP stapling. If I temporarily set security.ssl.enable_ocsp_must_staple in about:config in Firefox to false, I can visit my page.

So I'm looking through the Apache configuration and see:

<IfModule socache_shmcb_module>
    SSLUseStapling on
    SSLStaplingCache shmcb:/run/apache2/stapling_cache_shmcb(256000)

    # Prevent browsers from failing if an OCSP server is temporarily broken.
    SSLStaplingReturnResponderErrors off
    SSLStaplingErrorCacheTimeout 60
    SSLStaplingFakeTryLater off
    SSLStaplingResponderTimeout 3
    SSLSessionCache shmcb:/run/apache2/ssl_gcache_data_shmcb(1024000)
</IfModule>

I'm using EasyApache 4 and I ran /usr/sbin/apachectl -M and verified that socache_shmcb_module is listed, and it is, as shared.

I've verified the server and certificates are good by running:

openssl ocsp -issuer chain.pem -cert cert.pem -text -verify_other \
   chain.pem -url http://ocsp.int-x3.letsencrypt.org/ -header "Host" \
   "ocsp.int-x3.letsencrypt.org"
....
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Aug 19 00:03:00 2017 GMT
...
WARNING: no nonce in response
Response verify OK
cert.pem: good
    This Update: Aug 19 00:00:00 2017 GMT
    Next Update: Aug 26 00:00:00 2017 GMT

That WARNING worries me a bit and might be part of the problem. I haven't researched that yet.

Any ideas what might be going on here and how to go about fixing it on the server?

Thanks!

 

[Spork Schivago]

I would like to add that it is JUST the cPanel services that I cannot access through Firefox. My normal site, I can go there just fine. But any of the cPanel subdomains like cpanel.example.com, webmail.example.com, whm.example.com, they don't go.

I have proxy subdomains turned off and I've manually created the subdomains myself and forward any visitors to the proper ports. I'm wondering if the OCSP stuff isn't being honored because of this....that would really suck if that was the case.

To my knowledge, I don't think there's away to configure AutoSSL with all the options that we have when we use Let's Encrypt directly. Unless things have changed. To my knowledge, there's no ocsp-must-staple option when using AutoSSL. If there where features like that, I would use the proxy subdomains instead of doing it manually.


This is what I see what I try using openssl with one of the cPanel secure ports:

openssl s_client -connect example.com:2087 -status
CONNECTED(00000003)
OCSP response: no response sent
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.example.com
verify return:1
---
Certificate chain
 0 s:/CN=www.example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF4jCCBMqgAwIBAgISBLAOMMBuLTZzGQhJ/GHlKw5XMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA4MDMyMzAxMDBaFw0x
NzExMDEyMzAxMDBaMBkxFzAVBgNVBAMTDnd3dy5qZXRiYnMuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1uuVr+FqzpSYdt9vDolkgFEmaDDfjPjw
C+KktOqLqjs97psdYvK/BsLgRlC6IjIYWDhtyGhQGo/OOdKqoxb2mgm96GAPXie1
//Y8I5IY8umiw6MEbNZ1MtWKZkLWilY9qyYiiFm6+cKrqqHivHpdgc0HWDWmU/Kc
xR9Uje7Vj2R3Ge636tX+Q4A3l0ZP2jtVgtFyZswDMga7/Zzmr9dia1r67vBtXCLN
GR4vamWX6yHVdTd7fGEOJAzD1052sgHbsr2TOpxBHvyN8jrpTgrEc30C0Y4Ql6yI
zmY9Q1Qejey4ec8nuxBAT1Ii/OzAU9rKTEHpPAKZZ+iLc7R4lSWarQIDAQABo4IC
8TCCAu0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRZ/DDpe3eu2fyTneNZmrTyMFq7
xzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMIHoBgNVHREEgeAwgd2CEWNwYW5lbC5qZXRiYnMuY29tghZjcGNhbGVuZGFy
cy5qZXRiYnMuY29tghVjcGNvbnRhY3RzLmpldGJicy5jb22CE2ZyYW5rbGluLmpl
dGJicy5jb22CDmdpdC5qZXRiYnMuY29tgg9pcHY0LmpldGJicy5jb22CD2lwdjYu
amV0YmJzLmNvbYIKamV0YmJzLmNvbYISd2ViZGlzay5qZXRiYnMuY29tghJ3ZWJt
YWlsLmpldGJicy5jb22CDndobS5qZXRiYnMuY29tgg53d3cuamV0YmJzLmNvbTAR
BggrBgEFBQcBGAQFMAMCAQUwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysG
AQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5
IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBh
Y2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBo
dHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsF
AAOCAQEACmuatjIRcchOkynDEif105UpiKTWTVq+3h6t+vZup2csdxP2usGoKvl4
65T6pASmBYDtS8U2AtB+AgUODERJ6DGSZRLwWzxM94qB6G7J3mM7vB2boourqani
pRFQkPLLbJ4arPfrFqgQ0aiOal/RElAd59LCmceOdJrLhRJOzCgh0p7a0eRSiHGW
zcbZnrnHyIadyrblijEJIS0sIa6/xXbOyi7hGh3tXMBcmitHIq324Kakuc/RQGVy
AtIV/bLtTsorTthYrM67ShEV9XeYAdZmetfIjbJiY1ecQ6FVJ2iVxjskMaC23Q1i
ym4l3nJtIbqA3vjIGtF+QkV6C9U5/w==
-----END CERTIFICATE-----
subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3346 bytes and written 382 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: ED1E21F2473DBEB8C755D1DD64234CDF4325A1F47F7A15D7497694019E59F533
    Session-ID-ctx: 
    Master-Key: 12A445B481186960CE8628DB80B677C29F86258073F16947411B6BAB082CCB445943EA369CEE9C8C3ECCA71B71140311
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 70 2f b7 6a 7b ca 2e c6-25 8a 18 a9 67 ef bb da   p/.j{...%...g...
    0010 - 7e a5 15 e9 51 e4 96 7f-9a 3d 83 04 a9 6e f1 49   ~...Q....=...n.I
    0020 - 09 5a 90 9f 2f e0 5b 22-9a 7f a9 1f 94 e5 28 dc   .Z../.["......(.
    0030 - ad 23 e0 24 09 c4 fb cf-76 29 70 b5 5e fe cf 28   .#.$....v)p.^..(
    0040 - 83 23 0a 55 85 20 7b 0f-76 87 31 ba e9 16 3a a8   .#.U. {.v.1...:.
    0050 - 15 99 8d 1c 88 33 33 e9-5f 68 20 6c 90 46 d6 d3   .....33._h l.F..
    0060 - 23 18 33 bf de f9 66 a8-75 80 99 55 13 25 68 0a   #.3...f.u..U.%h.
    0070 - 0b 05 31 5e 1f 63 49 38-79 a2 54 d0 51 7a 5c b3   ..1^.cI8y.T.Qz\.
    0080 - 5d a3 30 2e 62 cd d2 ec-56 db 6c e9 ff 3a b4 a5   ].0.b...V.l..:..
    0090 - 24 f0 b2 27 c6 18 34 b4-5b 08 07 98 a6 4d f6 08   $..'..4.[....M..

    Start Time: 1503289502
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

Thanks.

 

[cPanelMichael]

Hi @Spork Schivago,

The socache_shmcb_module section of your Apache configuration file matches what I see on a test system, however I'm unable to reproduce the issue you have described. Could you open a support ticket using the link in my signature so we can take a closer look to see what's happening? You can post the ticket number here and we will update this thread with the outcome.

Thanks!

 

[Spork Schivago]

Okay @cPanelMichael, but I think I might know what's going on. I'm thinking it's how I have the proxy-subdomains turned off and how I manually redirect traffic from the various cpanel service subdomains to the cpanel ports. I think if I turn proxy-subdomains on, and use AutoSSL, problems might fix themselves....

I don't think I need to manually create certificates anymore. I think AutoSSL might have matured enough now where it supports all the features I need.

Could you please take a look at my post here and just see if AutoSSL fulfills my requirements? I'm a bit nervous playing around with it. I know there's a limit of requests for Let's Encrypt and I'd hate to use up that limit by playing with AutoSSL and everything, especially since I'm on the preloading list.

Thanks!

 

[cPanelMichael]

Could you please take a look at my post here and just see if AutoSSL fulfills my requirements? I'm a bit nervous playing around with it. I know there's a limit of requests for Let's Encrypt and I'd hate to use up that limit by playing with AutoSSL and everything, especially since I'm on the preloading list.

I've sent a reply to that thread.

Thanks!

 

[Spork Schivago]

I've sent a reply to that thread.

Thanks!

Solved the problem.