Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ocsp stapling #531

Closed
skuda opened this issue Sep 24, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@skuda
Copy link

commented Sep 24, 2017

Hi,

I am using the amazing feature of voyager that allows generating let's encrypt certificates using ACME DNS-01. The generation is working fine and the site can be visited using SSL with chrome, hsts is working fine too.

Today I tried to visit using Firefox one of the sites we are testing in a new kubernetes using one of those generated SSL certificates and I got this error:
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

After a check using ssllabs.com I saw this:

OCSP Must Staple | Supported, OCSP response not stapled

That pointed me to:
https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/

If I change the Firefox about:config section key security.ssl.enable_ocsp_must_staple to false the site works right.

Voyager adds to HAProxy OCSP stapling support? Thanks!

Miguel.

tamalsaha added a commit that referenced this issue Sep 24, 2017

tamalsaha added a commit that referenced this issue Sep 24, 2017

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Sep 24, 2017

I have disabled the OCSP-must-staple for LE issued certificates. This is the simplest solution for now. You will have to reissue certificates to disable this, after the next release of Voyager.

@skuda

This comment has been minimized.

Copy link
Author

commented Sep 27, 2017

Hi @tamalsaha,

I am closing the bug because the fix is already merged.
When do you plan to make a new release with the fix?

Thanks!

@skuda skuda closed this Sep 27, 2017

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Sep 28, 2017

We hope to get release out no later than early next week.

tamalsaha added a commit that referenced this issue Dec 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.