ZoeyVid / NPMplus

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://hub.docker.com/r/zoeyvid/npmplus
MIT License
502 stars 22 forks source link

strange error happen on firefox only/MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING #1188

Open Raxiel1987 opened 6 days ago

Raxiel1987 commented 6 days ago

in the latests updates i see a strange error happening only in firefox: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING a function tls mandatory is not avaiable (or something similar, i have traslated)

but if i refresh the page the website load normally (i have many websites and all do the same) i tried to renew the certificates yesterday, but no luck, after sometimes the error appears again, and this morning the errors agains no logs on nginx, so i assume is something regarding firefox directly on chromium browsers no errors

Zoey2936 commented 6 days ago

(I thought this error would be fixed with ocsp fetcher...) So you are accessing NPMplus over a private Network?

Zoey2936 commented 6 days ago

either directly using a private ip/dns rewrite to private ip or using a public ip but you use the same public ip as NPMplus

Raxiel1987 commented 6 days ago

yes i try to access to the websites on the same network as npmplus, so this should be the cause? in that case, no problem, I thought the problem is for everyone on firefox :)

so you're planning to fix ocsp fetcher?

Zoey2936 commented 6 days ago

the problem has everone using firefox and accessing NPMplus over a private ip (or the same public ip)

Zoey2936 commented 6 days ago

the problem can be fixed using two ways: disabling ocsp fetching in firefox settings or disabling must-staple in NPMplus

Zoey2936 commented 6 days ago

I will add an env/ui option to support disabling must staple

Raxiel1987 commented 6 days ago

oh ok.. good, will wait for fix :D thank you

Raxiel1987 commented 6 days ago

the problem can be fixed using two ways: disabling ocsp fetching in firefox settings or disabling must-staple in NPMplus

disabling must-staple in npmplus can be dangerous? or a security risk? because if only I have problem on my local network .. no problem :D

Zoey2936 commented 6 days ago

(simplified) So in general, OCSP is used to check if a cert was revoked. must-staple enforces this check, so it needs to be checked otherwise it fails. There are two ways for this check: 1. the client asks the CA if the cert is valid (only done in firefox) or 2. stapling, which is done by NPMplus. Stapling is like a second short live cert in addition to the normal cert. Stapling works good and is no problem with must-staple and local ips. The client-side firefox check always fails on local ips, but only throws and error with must-staple enabled.

Disabling this check in firefox (chromium has this always disabled) has pros and cons: pro disabled in firefox:

cons disabled in firefox:

same for must-staple: pros:

cons:

as you see this is not a yes or no question

Zoey2936 commented 6 days ago

to talk into the future: Lets encrypt wants to stop supporting ocsp at all (including server side stapling), because the client requests (like firefox does) are very expensive for them. They want to switch to these outdated local databases included in browsers.

Raxiel1987 commented 6 days ago

oh .. i see.. so as a web dev, network admin, and so on, i will let everything as now, if the only "problem" i have is that on local i have this issue is not important, what i was worried is that everyone outside could have a problem (cause i host 20+ websites on my server), but if only occours on local, then is ok :D, i can live with that

Raxiel1987 commented 6 days ago

to talk into the future: Lets encrypt wants to stop supporting ocsp at all (including server side stapling), because the client requests (like firefox does) are very expensive for them. They want to switch to these outdated local databases included in browsers.

i think that firefox should disable this "feature" on his browser, 'cause let's encrypt is used everywhere on internet, not only on my websites :D

Zoey2936 commented 6 days ago

To reduce the costs letsencrypt has? Possible, but I think to late and also it has some advantages. When they fully drop it will be like must staple is disabled and firefox check also

Raxiel1987 commented 6 days ago

let's see in the future, anyway thank you for your help and explanation. if the problem remains on local, also in the future, no problems then :D