On 21/09/2021 15:16, Rainer Jung wrote:
Am 21.09.2021 um 14:39 schrieb Christopher Schultz:
Jean-Frederic,
On 9/21/21 08:17, jean-frederic clere wrote:
On 19/09/2021 15:22, Christopher Schultz wrote:
Jean-Frederic,
On 9/19/21 03:09, jean-frederic clere wrote:
Hi,
I have some problems with let's encrypt certificates and firefox,
basically I get:
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
It looks like tomcat and tomcat-native are missing something with
my certificate, the same certificate with with httpd.
The work-around is security.ssl.enable_ocsp_must_staple=false in
the firefox configuration.
Has someone the same problem?
I think it is related to
+++
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
+++
and SSLUseStapling On
Does your certificate have the Must-Staple extension/feature in it?
If the cert has the Must-Staple feature, then the server must
provide stapling.
Is it a surprise to you that your cert that this extension enabled?
I think you have to specifically-request Must-Staple when requesting
a cert from LE.
May be it is related to that I am using mod_md in Apache httpd and
just moved the certificate/key to use the pair in tomcat.
And yes I have the Must-Staple in the certicate but I don't know why...
If you had mod_md request the cert, I suspect it included "must
staple" in the request, since mod_md should be performing the stapling
internally.
If you copied the cert from that environment into Tomcat, then you
will likely have to enable stapling there, in Tomcat, too.
-chris
Default for MjustStaple in mod_md should be off, but it is configurable:
http://httpd.apache.org/docs/2.4/en/mod/mod_md.html#mdmuststaple
I have not checked, whether the default changed or whether the must
staple of the old certificate that needs renewal comes into play.
Correct I have:
ServerAdmin jfcl...@gmail.com
MDCertificateAgreement
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDomain jfclere.myddns.me
MDMustStaple On
So Yes I have MDMustStaple On and SSLUseStapling On in the httpd
VirtualHost configuration.
Note using MDRenewWindow 60s renew the cert and fix the "problem".
If I have time I will looking how to add the SSLUseStapling to tomcat
but that is probably not urgent ;-)
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
