You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by jean-frederic clere <jf...@gmail.com> on 2021/09/19 07:09:25 UTC

Problems with let's encrypt

Hi,

I have some problems with let's encrypt certificates and firefox, 
basically I get:
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

It looks like tomcat and tomcat-native are missing something with my 
certificate, the same certificate with with httpd.

The work-around is security.ssl.enable_ocsp_must_staple=false in the 
firefox configuration.

Has someone the same problem?

I think it is related to
+++
              Authority Information Access:
                 OCSP - URI:http://r3.o.lencr.org
                 CA Issuers - URI:http://r3.i.lencr.org/

+++
and SSLUseStapling On
-- 
Cheers

Jean-Frederic


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Problems with let's encrypt

Posted by jean-frederic clere <jf...@gmail.com>.

On 21/09/2021 15:16, Rainer Jung wrote:
> Am 21.09.2021 um 14:39 schrieb Christopher Schultz:
>> Jean-Frederic,
>>
>> On 9/21/21 08:17, jean-frederic clere wrote:
>>> On 19/09/2021 15:22, Christopher Schultz wrote:
>>>> Jean-Frederic,
>>>>
>>>> On 9/19/21 03:09, jean-frederic clere wrote:
>>>>> Hi,
>>>>>
>>>>> I have some problems with let's encrypt certificates and firefox, 
>>>>> basically I get:
>>>>> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>>>>
>>>>> It looks like tomcat and tomcat-native are missing something with 
>>>>> my certificate, the same certificate with with httpd.
>>>>>
>>>>> The work-around is security.ssl.enable_ocsp_must_staple=false in 
>>>>> the firefox configuration.
>>>>>
>>>>> Has someone the same problem?
>>>>>
>>>>> I think it is related to
>>>>> +++
>>>>>               Authority Information Access:
>>>>>                  OCSP - URI:http://r3.o.lencr.org
>>>>>                  CA Issuers - URI:http://r3.i.lencr.org/
>>>>>
>>>>> +++
>>>>> and SSLUseStapling On
>>>>
>>>> Does your certificate have the Must-Staple extension/feature in it? 
>>>> If the cert has the Must-Staple feature, then the server must 
>>>> provide stapling.
>>>>
>>>> Is it a surprise to you that your cert that this extension enabled? 
>>>> I think you have to specifically-request Must-Staple when requesting 
>>>> a cert from LE.
>>>
>>> May be it is related to that I am using mod_md in Apache httpd and 
>>> just moved the certificate/key to use the pair in tomcat.
>>>
>>> And yes I have the Must-Staple in the certicate but I don't know why...
>>
>> If you had mod_md request the cert, I suspect it included "must 
>> staple" in the request, since mod_md should be performing the stapling 
>> internally.
>>
>> If you copied the cert from that environment into Tomcat, then you 
>> will likely have to enable stapling there, in Tomcat, too.
>>
>> -chris
> 
> Default for MjustStaple in mod_md should be off, but it is configurable:
> 
> http://httpd.apache.org/docs/2.4/en/mod/mod_md.html#mdmuststaple
> 
> I have not checked, whether the default changed or whether the must 
> staple of the old certificate that needs renewal comes into play.

Correct I have:
ServerAdmin jfclere@gmail.com
MDCertificateAgreement 
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDomain jfclere.myddns.me
MDMustStaple On

So Yes I have MDMustStaple On and SSLUseStapling On in the httpd 
VirtualHost configuration.

Note using MDRenewWindow 60s renew the cert and fix the "problem".

If I have time I will looking how to add the SSLUseStapling to tomcat 
but that is probably not urgent ;-)

> 
> Regards,
> 
> Rainer
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


-- 
Cheers

Jean-Frederic


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Problems with let's encrypt

Posted by Rainer Jung <ra...@kippdata.de>.

Am 21.09.2021 um 14:39 schrieb Christopher Schultz:
> Jean-Frederic,
> 
> On 9/21/21 08:17, jean-frederic clere wrote:
>> On 19/09/2021 15:22, Christopher Schultz wrote:
>>> Jean-Frederic,
>>>
>>> On 9/19/21 03:09, jean-frederic clere wrote:
>>>> Hi,
>>>>
>>>> I have some problems with let's encrypt certificates and firefox, 
>>>> basically I get:
>>>> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>>>
>>>> It looks like tomcat and tomcat-native are missing something with my 
>>>> certificate, the same certificate with with httpd.
>>>>
>>>> The work-around is security.ssl.enable_ocsp_must_staple=false in the 
>>>> firefox configuration.
>>>>
>>>> Has someone the same problem?
>>>>
>>>> I think it is related to
>>>> +++
>>>>               Authority Information Access:
>>>>                  OCSP - URI:http://r3.o.lencr.org
>>>>                  CA Issuers - URI:http://r3.i.lencr.org/
>>>>
>>>> +++
>>>> and SSLUseStapling On
>>>
>>> Does your certificate have the Must-Staple extension/feature in it? 
>>> If the cert has the Must-Staple feature, then the server must provide 
>>> stapling.
>>>
>>> Is it a surprise to you that your cert that this extension enabled? I 
>>> think you have to specifically-request Must-Staple when requesting a 
>>> cert from LE.
>>
>> May be it is related to that I am using mod_md in Apache httpd and 
>> just moved the certificate/key to use the pair in tomcat.
>>
>> And yes I have the Must-Staple in the certicate but I don't know why...
> 
> If you had mod_md request the cert, I suspect it included "must staple" 
> in the request, since mod_md should be performing the stapling internally.
> 
> If you copied the cert from that environment into Tomcat, then you will 
> likely have to enable stapling there, in Tomcat, too.
> 
> -chris

Default for MjustStaple in mod_md should be off, but it is configurable:

http://httpd.apache.org/docs/2.4/en/mod/mod_md.html#mdmuststaple

I have not checked, whether the default changed or whether the must 
staple of the old certificate that needs renewal comes into play.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Problems with let's encrypt

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Jean-Frederic,

On 9/21/21 08:17, jean-frederic clere wrote:
> On 19/09/2021 15:22, Christopher Schultz wrote:
>> Jean-Frederic,
>>
>> On 9/19/21 03:09, jean-frederic clere wrote:
>>> Hi,
>>>
>>> I have some problems with let's encrypt certificates and firefox, 
>>> basically I get:
>>> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>>
>>> It looks like tomcat and tomcat-native are missing something with my 
>>> certificate, the same certificate with with httpd.
>>>
>>> The work-around is security.ssl.enable_ocsp_must_staple=false in the 
>>> firefox configuration.
>>>
>>> Has someone the same problem?
>>>
>>> I think it is related to
>>> +++
>>>               Authority Information Access:
>>>                  OCSP - URI:http://r3.o.lencr.org
>>>                  CA Issuers - URI:http://r3.i.lencr.org/
>>>
>>> +++
>>> and SSLUseStapling On
>>
>> Does your certificate have the Must-Staple extension/feature in it? If 
>> the cert has the Must-Staple feature, then the server must provide 
>> stapling.
>>
>> Is it a surprise to you that your cert that this extension enabled? I 
>> think you have to specifically-request Must-Staple when requesting a 
>> cert from LE.
> 
> May be it is related to that I am using mod_md in Apache httpd and just 
> moved the certificate/key to use the pair in tomcat.
> 
> And yes I have the Must-Staple in the certicate but I don't know why...

If you had mod_md request the cert, I suspect it included "must staple" 
in the request, since mod_md should be performing the stapling internally.

If you copied the cert from that environment into Tomcat, then you will 
likely have to enable stapling there, in Tomcat, too.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Problems with let's encrypt

Posted by jean-frederic clere <jf...@gmail.com>.

On 19/09/2021 15:22, Christopher Schultz wrote:
> Jean-Frederic,
> 
> On 9/19/21 03:09, jean-frederic clere wrote:
>> Hi,
>>
>> I have some problems with let's encrypt certificates and firefox, 
>> basically I get:
>> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>
>> It looks like tomcat and tomcat-native are missing something with my 
>> certificate, the same certificate with with httpd.
>>
>> The work-around is security.ssl.enable_ocsp_must_staple=false in the 
>> firefox configuration.
>>
>> Has someone the same problem?
>>
>> I think it is related to
>> +++
>>               Authority Information Access:
>>                  OCSP - URI:http://r3.o.lencr.org
>>                  CA Issuers - URI:http://r3.i.lencr.org/
>>
>> +++
>> and SSLUseStapling On
> 
> Does your certificate have the Must-Staple extension/feature in it? If 
> the cert has the Must-Staple feature, then the server must provide 
> stapling.
> 
> Is it a surprise to you that your cert that this extension enabled? I 
> think you have to specifically-request Must-Staple when requesting a 
> cert from LE.

May be it is related to that I am using mod_md in Apache httpd and just 
moved the certificate/key to use the pair in tomcat.

And yes I have the Must-Staple in the certicate but I don't know why...
> 
> -chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


-- 
Cheers

Jean-Frederic


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Problems with let's encrypt

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Jean-Frederic,

On 9/19/21 03:09, jean-frederic clere wrote:
> Hi,
> 
> I have some problems with let's encrypt certificates and firefox, 
> basically I get:
> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
> 
> It looks like tomcat and tomcat-native are missing something with my 
> certificate, the same certificate with with httpd.
> 
> The work-around is security.ssl.enable_ocsp_must_staple=false in the 
> firefox configuration.
> 
> Has someone the same problem?
> 
> I think it is related to
> +++
>               Authority Information Access:
>                  OCSP - URI:http://r3.o.lencr.org
>                  CA Issuers - URI:http://r3.i.lencr.org/
> 
> +++
> and SSLUseStapling On

Does your certificate have the Must-Staple extension/feature in it? If 
the cert has the Must-Staple feature, then the server must provide stapling.

Is it a surprise to you that your cert that this extension enabled? I 
think you have to specifically-request Must-Staple when requesting a 
cert from LE.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org