I need to disable security.ssl.enable_ocsp_stapling in firefox otherwise the webgui is not accessible. I'm using a letsencrypt cert. How to fix this.
QuoteI'm using a letsencrypt cert
with "must staple"?
"must-staple" behavior can be disabled in ff
https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox#OCSP_Must-staple
OCSP Must Staple is enabled.
I think there are three options here:
don't use certificates with "Must Staple" extension for GUI
disable security.ssl.enable_ocsp_stapling on browser
try using the ssl.stapling-file option in the lighty config. but keep in mind that the lighttpd itself does not update and maintain the response file. you have to do it yourself
Here's what I do not understand:
As far as I can remember the OCSP Must Staple option is enabled by default in the ACME client certificate settings of OPNsense. Why is that if it conflicts with lighttpd? That doesn't makes (OPN)sense...
as far as i can see, its off by default and has always been
https://github.com/opnsense/plugins/commit/0f602e5d7333944281c639e54f52844eb048184c
Hi Fright,
Looks like I was wrong. I can't remember though that I've switched it on but it's been quite a while ago that I started to use Letsencrypt.
I guess I can turn it off and generate a new certificate to solve this issue?
QuoteI guess I can turn it off and generate a new certificate to solve this issue?
think so )
Sadly it does not. I've disabled the OCSP Must Staple option and generated a new certificate but it doesn't solve the problem. I still need to disable security.ssl.enable_ocsp_stapling in Firefox.
has the certificate been updated?
Is there really no 1.3.6.1.5.5.7.1.24 extension?
Is the new certificate is specified for gui?
did you restart gui?
has the certificate been updated? YES
Is there really no 1.3.6.1.5.5.7.1.24 extension? What does this mean?
Is the new certificate is specified for gui? I guess so(???) Isn't that automatically the case?
did you restart gui? No I didn't so stupid me(@@!@#$%) Now it works while having security.ssl.enable_ocsp_stapling enabled in Firefox.
However, just noticed "A problem was detected. Click here for more information." on the dashboard and the reporter reports acme related php errors.
Quote[08-Feb-2022 10:53:26 Europe/Amsterdam] PHP Fatal error: Uncaught Error: Call to a member function init() on null in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php:634
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php(404): OPNsense\AcmeClient\LeCertificate->runAutomations()
#1 /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php(170): OPNsense\AcmeClient\LeCertificate->issue()
#2 /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php(199): main()
#3 {main}
thrown in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php on line 634
Could this be related?
QuoteIs there really no 1.3.6.1.5.5.7.1.24 extension? What does this mean?
doesn't matter now - if everything works now, then the certificate has been updated and the extension is not enabled)
1.3.6.1.5.5.7.1.24 is a OID for TLS Feature Extension. which allows to request "must staple" feature
some more info: https://scotthelme.co.uk/ocsp-must-staple/
QuoteI guess so(???) Isn't that automatically the case?
think so. just wanted to make sure ;)
Quotejust noticed "A problem was detected. Click here for more information." on the dashboard and the reporter reports acme related php errors
Are there any automations configured in the plugin? what automations are listed in the "AcmeClient: running automations for certificate: ***" log line before error?
it may be some errors with 3.1.0 model migration (I saw forum posts but haven't had time to try to reproduce it yet). this could cause the lack of automatic gui restart (if there is automation for it)
Sorry, I haven't read all of it... OCSP was requested for the web GUI once or twice over the years but lighttpd wasn't ready. We should change that as I think it was added there in the meantime. Tickets or PRs welcome.
Cheers,
Franco
@Fright
I found the following log entry;
2022-02-08T10:53:26 php AcmeClient: automation not supported: restart_gui
Is this possibly what you were pointing at?
QuoteIs this possibly what you were pointing at?
yep. it should be configd_restart_gui now imho. so i guess the 3.1.0 migration failed
https://forum.opnsense.org/index.php?topic=26560
I think touching all automations should fix this
Thank you!!!
@gdur
glad it worked, thanks for feedbacks ;)