You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jean-frederic clere <jf...@gmail.com> on 2021/09/19 07:09:25 UTC
Problems with let's encrypt
Hi,
I have some problems with let's encrypt certificates and firefox,
basically I get:
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
It looks like tomcat and tomcat-native are missing something with my
certificate, the same certificate with with httpd.
The work-around is security.ssl.enable_ocsp_must_staple=false in the
firefox configuration.
Has someone the same problem?
I think it is related to
+++
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
+++
and SSLUseStapling On
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Problems with let's encrypt
Posted by jean-frederic clere <jf...@gmail.com>.
On 21/09/2021 15:16, Rainer Jung wrote:
> Am 21.09.2021 um 14:39 schrieb Christopher Schultz:
>> Jean-Frederic,
>>
>> On 9/21/21 08:17, jean-frederic clere wrote:
>>> On 19/09/2021 15:22, Christopher Schultz wrote:
>>>> Jean-Frederic,
>>>>
>>>> On 9/19/21 03:09, jean-frederic clere wrote:
>>>>> Hi,
>>>>>
>>>>> I have some problems with let's encrypt certificates and firefox,
>>>>> basically I get:
>>>>> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>>>>
>>>>> It looks like tomcat and tomcat-native are missing something with
>>>>> my certificate, the same certificate with with httpd.
>>>>>
>>>>> The work-around is security.ssl.enable_ocsp_must_staple=false in
>>>>> the firefox configuration.
>>>>>
>>>>> Has someone the same problem?
>>>>>
>>>>> I think it is related to
>>>>> +++
>>>>> Authority Information Access:
>>>>> OCSP - URI:http://r3.o.lencr.org
>>>>> CA Issuers - URI:http://r3.i.lencr.org/
>>>>>
>>>>> +++
>>>>> and SSLUseStapling On
>>>>
>>>> Does your certificate have the Must-Staple extension/feature in it?
>>>> If the cert has the Must-Staple feature, then the server must
>>>> provide stapling.
>>>>
>>>> Is it a surprise to you that your cert that this extension enabled?
>>>> I think you have to specifically-request Must-Staple when requesting
>>>> a cert from LE.
>>>
>>> May be it is related to that I am using mod_md in Apache httpd and
>>> just moved the certificate/key to use the pair in tomcat.
>>>
>>> And yes I have the Must-Staple in the certicate but I don't know why...
>>
>> If you had mod_md request the cert, I suspect it included "must
>> staple" in the request, since mod_md should be performing the stapling
>> internally.
>>
>> If you copied the cert from that environment into Tomcat, then you
>> will likely have to enable stapling there, in Tomcat, too.
>>
>> -chris
>
> Default for MjustStaple in mod_md should be off, but it is configurable:
>
> http://httpd.apache.org/docs/2.4/en/mod/mod_md.html#mdmuststaple
>
> I have not checked, whether the default changed or whether the must
> staple of the old certificate that needs renewal comes into play.
Correct I have:
ServerAdmin jfclere@gmail.com
MDCertificateAgreement
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDomain jfclere.myddns.me
MDMustStaple On
So Yes I have MDMustStaple On and SSLUseStapling On in the httpd
VirtualHost configuration.
Note using MDRenewWindow 60s renew the cert and fix the "problem".
If I have time I will looking how to add the SSLUseStapling to tomcat
but that is probably not urgent ;-)
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Problems with let's encrypt
Posted by Rainer Jung <ra...@kippdata.de>.
Am 21.09.2021 um 14:39 schrieb Christopher Schultz:
> Jean-Frederic,
>
> On 9/21/21 08:17, jean-frederic clere wrote:
>> On 19/09/2021 15:22, Christopher Schultz wrote:
>>> Jean-Frederic,
>>>
>>> On 9/19/21 03:09, jean-frederic clere wrote:
>>>> Hi,
>>>>
>>>> I have some problems with let's encrypt certificates and firefox,
>>>> basically I get:
>>>> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>>>
>>>> It looks like tomcat and tomcat-native are missing something with my
>>>> certificate, the same certificate with with httpd.
>>>>
>>>> The work-around is security.ssl.enable_ocsp_must_staple=false in the
>>>> firefox configuration.
>>>>
>>>> Has someone the same problem?
>>>>
>>>> I think it is related to
>>>> +++
>>>> Authority Information Access:
>>>> OCSP - URI:http://r3.o.lencr.org
>>>> CA Issuers - URI:http://r3.i.lencr.org/
>>>>
>>>> +++
>>>> and SSLUseStapling On
>>>
>>> Does your certificate have the Must-Staple extension/feature in it?
>>> If the cert has the Must-Staple feature, then the server must provide
>>> stapling.
>>>
>>> Is it a surprise to you that your cert that this extension enabled? I
>>> think you have to specifically-request Must-Staple when requesting a
>>> cert from LE.
>>
>> May be it is related to that I am using mod_md in Apache httpd and
>> just moved the certificate/key to use the pair in tomcat.
>>
>> And yes I have the Must-Staple in the certicate but I don't know why...
>
> If you had mod_md request the cert, I suspect it included "must staple"
> in the request, since mod_md should be performing the stapling internally.
>
> If you copied the cert from that environment into Tomcat, then you will
> likely have to enable stapling there, in Tomcat, too.
>
> -chris
Default for MjustStaple in mod_md should be off, but it is configurable:
http://httpd.apache.org/docs/2.4/en/mod/mod_md.html#mdmuststaple
I have not checked, whether the default changed or whether the must
staple of the old certificate that needs renewal comes into play.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Problems with let's encrypt
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jean-Frederic,
On 9/21/21 08:17, jean-frederic clere wrote:
> On 19/09/2021 15:22, Christopher Schultz wrote:
>> Jean-Frederic,
>>
>> On 9/19/21 03:09, jean-frederic clere wrote:
>>> Hi,
>>>
>>> I have some problems with let's encrypt certificates and firefox,
>>> basically I get:
>>> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>>
>>> It looks like tomcat and tomcat-native are missing something with my
>>> certificate, the same certificate with with httpd.
>>>
>>> The work-around is security.ssl.enable_ocsp_must_staple=false in the
>>> firefox configuration.
>>>
>>> Has someone the same problem?
>>>
>>> I think it is related to
>>> +++
>>> Authority Information Access:
>>> OCSP - URI:http://r3.o.lencr.org
>>> CA Issuers - URI:http://r3.i.lencr.org/
>>>
>>> +++
>>> and SSLUseStapling On
>>
>> Does your certificate have the Must-Staple extension/feature in it? If
>> the cert has the Must-Staple feature, then the server must provide
>> stapling.
>>
>> Is it a surprise to you that your cert that this extension enabled? I
>> think you have to specifically-request Must-Staple when requesting a
>> cert from LE.
>
> May be it is related to that I am using mod_md in Apache httpd and just
> moved the certificate/key to use the pair in tomcat.
>
> And yes I have the Must-Staple in the certicate but I don't know why...
If you had mod_md request the cert, I suspect it included "must staple"
in the request, since mod_md should be performing the stapling internally.
If you copied the cert from that environment into Tomcat, then you will
likely have to enable stapling there, in Tomcat, too.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Problems with let's encrypt
Posted by jean-frederic clere <jf...@gmail.com>.
On 19/09/2021 15:22, Christopher Schultz wrote:
> Jean-Frederic,
>
> On 9/19/21 03:09, jean-frederic clere wrote:
>> Hi,
>>
>> I have some problems with let's encrypt certificates and firefox,
>> basically I get:
>> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>
>> It looks like tomcat and tomcat-native are missing something with my
>> certificate, the same certificate with with httpd.
>>
>> The work-around is security.ssl.enable_ocsp_must_staple=false in the
>> firefox configuration.
>>
>> Has someone the same problem?
>>
>> I think it is related to
>> +++
>> Authority Information Access:
>> OCSP - URI:http://r3.o.lencr.org
>> CA Issuers - URI:http://r3.i.lencr.org/
>>
>> +++
>> and SSLUseStapling On
>
> Does your certificate have the Must-Staple extension/feature in it? If
> the cert has the Must-Staple feature, then the server must provide
> stapling.
>
> Is it a surprise to you that your cert that this extension enabled? I
> think you have to specifically-request Must-Staple when requesting a
> cert from LE.
May be it is related to that I am using mod_md in Apache httpd and just
moved the certificate/key to use the pair in tomcat.
And yes I have the Must-Staple in the certicate but I don't know why...
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Problems with let's encrypt
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jean-Frederic,
On 9/19/21 03:09, jean-frederic clere wrote:
> Hi,
>
> I have some problems with let's encrypt certificates and firefox,
> basically I get:
> Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>
> It looks like tomcat and tomcat-native are missing something with my
> certificate, the same certificate with with httpd.
>
> The work-around is security.ssl.enable_ocsp_must_staple=false in the
> firefox configuration.
>
> Has someone the same problem?
>
> I think it is related to
> +++
> Authority Information Access:
> OCSP - URI:http://r3.o.lencr.org
> CA Issuers - URI:http://r3.i.lencr.org/
>
> +++
> and SSLUseStapling On
Does your certificate have the Must-Staple extension/feature in it? If
the cert has the Must-Staple feature, then the server must provide stapling.
Is it a surprise to you that your cert that this extension enabled? I
think you have to specifically-request Must-Staple when requesting a
cert from LE.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org