I installed a letsencrypt certificate in Nethserver. Everything works fine.
After a few days, I wasn’t however able to access the server manager anymore in Firefox. I got the error message that the SSL certificate cannot be verified by the OCSP server. error code: sec_error_ocsp_try_server_later
After a bit of googling, I find the problem which caused that error. In the configuration file of the httpd-admin (/etc/httpd/admin-conf/httpd.conf) the option SSLUseStapling was turned on and obviously a non-valid path to the cache was provided.
Since I couldn’t find out the right path, I have simply turned off the SSLUseStapling option. And everything works great again…!
I would propose to turn that option off by default (like in the httpd module) or, if possible, set the right path for the logs…
I know that this is really a marginal thing, especially since it seems to cause an error only in Firefox…
I have a similar setup here, but no problem (so far). Letsencrypt certifikate was issued on 2017-02-03 and I’m using Firefox 51.0.1 (64-Bit). Value in /etc/httpd/admin-conf/httpd.conf:
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Funny, we did the same. I also had to issue my certificate again, because I added additional names into the certificate. But it was working out of the box.
Is the problem on the server manager only or on the public side too?
Only when trying to access the server manager…
in the config file for the public site (httpd module) there is no SSLUseStapling defined anyway, so this is not affected…
I have found the reason (probably) why I received that error message, meanwhile…
I had created the letsencrypt certificate via certbot and not via the letsencrypt module (because I wanted a 4096 bit certificate…). However I didn’t enable the oscp-stapling option when creating it…
Now I have renewed it with this option enabled and have no problems at all (of course I have enabled the SSLUseStapling option in httpd-admin again).
Hence I guess it was only a misconfiguration of the certificate. Is the oscp-stapling option enabled in the letsencrypt module of nethserver? That would explain all the strange things (also that @asl didn’t have any problems…). If this is the case, it is definitely not a bug of Nethserver!