SSLUseStapling in httpd-admin leads to error message in firefox

phonon112358 · February 7, 2017, 6:32pm

I installed a letsencrypt certificate in Nethserver. Everything works fine.
After a few days, I wasn’t however able to access the server manager anymore in Firefox. I got the error message that the SSL certificate cannot be verified by the OCSP server. error code: sec_error_ocsp_try_server_later

After a bit of googling, I find the problem which caused that error. In the configuration file of the httpd-admin (/etc/httpd/admin-conf/httpd.conf) the option SSLUseStapling was turned on and obviously a non-valid path to the cache was provided.
Since I couldn’t find out the right path, I have simply turned off the SSLUseStapling option. And everything works great again…!

I would propose to turn that option off by default (like in the httpd module) or, if possible, set the right path for the logs…
I know that this is really a marginal thing, especially since it seems to cause an error only in Firefox…

asl · February 8, 2017, 8:57am

Hello,

I have a similar setup here, but no problem (so far). Letsencrypt certifikate was issued on 2017-02-03 and I’m using Firefox 51.0.1 (64-Bit). Value in /etc/httpd/admin-conf/httpd.conf:

SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

phonon112358 · February 8, 2017, 2:05pm

yes, I had the very same settings…
my certificate was also issued on 2017-02-03 and I use also the same version of Firefox…

The only point could be that I had already installed a letsencrypt certificate before which I renewed on 2017-02-03… but I don’t know…

asl · February 9, 2017, 10:23am

Funny, we did the same. I also had to issue my certificate again, because I added additional names into the certificate. But it was working out of the box.
Is the problem on the server manager only or on the public side too?

phonon112358 · February 9, 2017, 2:12pm

Only when trying to access the server manager…
in the config file for the public site (httpd module) there is no SSLUseStapling defined anyway, so this is not affected…

giacomo · February 11, 2017, 6:35pm

I will look into it, give me few days

giacomo · February 14, 2017, 11:07am

I’ve found the commit:

@davidep probably followed some tutorial on SSL hardening.

I think we can safely remove the ssl stapling options. Do you agree Davide? /cc @filippo_carletti

filippo_carletti · February 14, 2017, 1:56pm

Ack. I think that stapling on port 980 adds “nothing” to security.
And if NethServer can’t contact the OCSP server it may cause troubles.

davidep · February 14, 2017, 3:42pm

Yes, I cut and paste (shame on me) this

https://cipherli.st/

About OCSP

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#OCSP_Stapling

phonon112358 · February 14, 2017, 4:18pm

I have found the reason (probably) why I received that error message, meanwhile…

I had created the letsencrypt certificate via certbot and not via the letsencrypt module (because I wanted a 4096 bit certificate…). However I didn’t enable the oscp-stapling option when creating it…

Now I have renewed it with this option enabled and have no problems at all (of course I have enabled the SSLUseStapling option in httpd-admin again).

Hence I guess it was only a misconfiguration of the certificate. Is the oscp-stapling option enabled in the letsencrypt module of nethserver? That would explain all the strange things (also that @asl didn’t have any problems…). If this is the case, it is definitely not a bug of Nethserver!

giacomo · February 14, 2017, 4:51pm

No, at the moment is not.

But I like your idea to have more options on Let’s Encrypt page, like oscp and key size.