security.ssl.enable_ocsp_stapling

Started by gdur, February 07, 2022, 05:50:43 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 07, 2022, 05:50:43 PM
I need to disable security.ssl.enable_ocsp_stapling in firefox otherwise the webgui is not accessible. I'm using a letsencrypt cert. How to fix this.
February 07, 2022, 06:29:56 PM #1 Last Edit: February 07, 2022, 06:56:23 PM by Fright
QuoteI'm using a letsencrypt cert
with "must staple"?
"must-staple" behavior can be disabled in ff
https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox#OCSP_Must-staple
February 07, 2022, 08:04:53 PM #2
 OCSP Must Staple is enabled.
February 07, 2022, 08:22:46 PM #3
I think there are three options here:
don't use certificates with "Must Staple" extension for GUI
disable  security.ssl.enable_ocsp_stapling on browser
try using the ssl.stapling-file option in the lighty config. but keep in mind that the lighttpd itself does not update and maintain the response file. you have to do it yourself
February 07, 2022, 10:24:26 PM #4
Here's what I do not understand:
As far as I can remember the OCSP Must Staple option is enabled by default in the ACME client certificate settings of OPNsense. Why is that if it conflicts with lighttpd? That doesn't makes (OPN)sense...
February 08, 2022, 06:46:42 AM #5
as far as i can see, its off by default and has always been
https://github.com/opnsense/plugins/commit/0f602e5d7333944281c639e54f52844eb048184c
February 08, 2022, 08:48:04 AM #6
Hi Fright,
Looks like I was wrong. I can't remember though that I've switched it on but it's been quite a while ago that I started to use Letsencrypt.
I guess I can turn it off and generate a new certificate to solve this issue?
February 08, 2022, 08:50:34 AM #7
QuoteI guess I can turn it off and generate a new certificate to solve this issue?
think so )
February 08, 2022, 11:01:32 AM #8
Sadly it does not. I've disabled the OCSP Must Staple option and generated a new certificate but it doesn't solve the problem. I still need to disable security.ssl.enable_ocsp_stapling in Firefox.
February 08, 2022, 11:52:51 AM #9
has the certificate been updated?
Is there really no 1.3.6.1.5.5.7.1.24 extension?
Is the new certificate is specified for gui?
did you restart gui?
February 08, 2022, 05:53:05 PM #10
has the certificate been updated? YES
Is there really no 1.3.6.1.5.5.7.1.24 extension? What does this mean?
Is the new certificate is specified for gui? I guess so(???) Isn't that automatically the case?
did you restart gui? No I didn't so stupid me(@@!@#$%) Now it works while having security.ssl.enable_ocsp_stapling enabled in Firefox.

However, just noticed "A problem was detected. Click here for more information." on the dashboard and the reporter reports acme related php errors.
Quote[08-Feb-2022 10:53:26 Europe/Amsterdam] PHP Fatal error:  Uncaught Error: Call to a member function init() on null in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php:634
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php(404): OPNsense\AcmeClient\LeCertificate->runAutomations()
#1 /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php(170): OPNsense\AcmeClient\LeCertificate->issue()
#2 /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php(199): main()
#3 {main}
  thrown in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php on line 634

Could this be related?
February 08, 2022, 06:27:47 PM #11
QuoteIs there really no 1.3.6.1.5.5.7.1.24 extension? What does this mean?
doesn't matter now - if everything works now, then the certificate has been updated and the extension is not enabled)
1.3.6.1.5.5.7.1.24 is a OID for TLS Feature Extension. which allows to request "must staple" feature
some more info: https://scotthelme.co.uk/ocsp-must-staple/
QuoteI guess so(???) Isn't that automatically the case?
think so. just wanted to make sure  ;)

Quotejust noticed "A problem was detected. Click here for more information." on the dashboard and the reporter reports acme related php errors
Are there any automations configured in the plugin? what automations are listed in the "AcmeClient: running automations for certificate: ***"  log line before error?
it may be some errors with 3.1.0 model migration (I saw forum posts but haven't had time to try to reproduce it yet). this could cause the lack of automatic gui restart (if there is automation for it)
February 09, 2022, 10:17:32 AM #12
Sorry, I haven't read all of it... OCSP was requested for the web GUI once or twice over the years but lighttpd wasn't ready. We should change that as I think it was added there in the meantime. Tickets or PRs welcome.


Cheers,
Franco
February 09, 2022, 10:22:44 AM #13
@Fright
I found the following log entry;
Code Select
2022-02-08T10:53:26 php AcmeClient: automation not supported: restart_gui
Is this possibly what you were pointing at?
February 09, 2022, 11:24:57 AM #14
QuoteIs this possibly what you were pointing at?
yep. it should be configd_restart_gui now imho. so i guess the 3.1.0 migration failed
https://forum.opnsense.org/index.php?topic=26560
I think touching all automations should fix this
Print
Go Up Pages1 2
User actions