SSLUseStapling in httpd-admin leads to error message in firefox

I installed a letsencrypt certificate in Nethserver. Everything works fine.
After a few days, I wasn’t however able to access the server manager anymore in Firefox. I got the error message that the SSL certificate cannot be verified by the OCSP server. error code: sec_error_ocsp_try_server_later

After a bit of googling, I find the problem which caused that error. In the configuration file of the httpd-admin (/etc/httpd/admin-conf/httpd.conf) the option SSLUseStapling was turned on and obviously a non-valid path to the cache was provided.
Since I couldn’t find out the right path, I have simply turned off the SSLUseStapling option. And everything works great again…!

I would propose to turn that option off by default (like in the httpd module) or, if possible, set the right path for the logs…
I know that this is really a marginal thing, especially since it seems to cause an error only in Firefox… :wink:

Hello,

I have a similar setup here, but no problem (so far). Letsencrypt certifikate was issued on 2017-02-03 and I’m using Firefox 51.0.1 (64-Bit). Value in /etc/httpd/admin-conf/httpd.conf:

SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
2 Likes

yes, I had the very same settings…
my certificate was also issued on 2017-02-03 and I use also the same version of Firefox…

The only point could be that I had already installed a letsencrypt certificate before which I renewed on 2017-02-03… but I don’t know…

Funny, we did the same. I also had to issue my certificate again, because I added additional names into the certificate. But it was working out of the box.
Is the problem on the server manager only or on the public side too?

1 Like

Only when trying to access the server manager…
in the config file for the public site (httpd module) there is no SSLUseStapling defined anyway, so this is not affected…

I will look into it, give me few days :wink:

1 Like

I’ve found the commit:

@davidep probably followed some tutorial on SSL hardening.

I think we can safely remove the ssl stapling options. Do you agree Davide? /cc @filippo_carletti

1 Like

Ack. I think that stapling on port 980 adds “nothing” to security.
And if NethServer can’t contact the OCSP server it may cause troubles.

Yes, I cut and paste (shame on me) this :blush:

https://cipherli.st/

About OCSP

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#OCSP_Stapling

I have found the reason (probably) why I received that error message, meanwhile…

I had created the letsencrypt certificate via certbot and not via the letsencrypt module (because I wanted a 4096 bit certificate…). However I didn’t enable the oscp-stapling option when creating it…

Now I have renewed it with this option enabled and have no problems at all (of course I have enabled the SSLUseStapling option in httpd-admin again).

Hence I guess it was only a misconfiguration of the certificate. Is the oscp-stapling option enabled in the letsencrypt module of nethserver? That would explain all the strange things (also that @asl didn’t have any problems…). If this is the case, it is definitely not a bug of Nethserver! :wink:

No, at the moment is not.

But I like your idea to have more options on Let’s Encrypt page, like oscp and key size. :slight_smile:

2 Likes