Open Raxiel1987 opened 6 days ago
(I thought this error would be fixed with ocsp fetcher...) So you are accessing NPMplus over a private Network?
either directly using a private ip/dns rewrite to private ip or using a public ip but you use the same public ip as NPMplus
yes i try to access to the websites on the same network as npmplus, so this should be the cause? in that case, no problem, I thought the problem is for everyone on firefox :)
so you're planning to fix ocsp fetcher?
the problem has everone using firefox and accessing NPMplus over a private ip (or the same public ip)
the problem can be fixed using two ways: disabling ocsp fetching in firefox settings or disabling must-staple in NPMplus
I will add an env/ui option to support disabling must staple
oh ok.. good, will wait for fix :D thank you
the problem can be fixed using two ways: disabling ocsp fetching in firefox settings or disabling must-staple in NPMplus
disabling must-staple in npmplus can be dangerous? or a security risk? because if only I have problem on my local network .. no problem :D
(simplified) So in general, OCSP is used to check if a cert was revoked. must-staple enforces this check, so it needs to be checked otherwise it fails. There are two ways for this check: 1. the client asks the CA if the cert is valid (only done in firefox) or 2. stapling, which is done by NPMplus. Stapling is like a second short live cert in addition to the normal cert. Stapling works good and is no problem with must-staple and local ips. The client-side firefox check always fails on local ips, but only throws and error with must-staple enabled.
Disabling this check in firefox (chromium has this always disabled) has pros and cons: pro disabled in firefox:
cons disabled in firefox:
same for must-staple: pros:
cons:
as you see this is not a yes or no question
to talk into the future: Lets encrypt wants to stop supporting ocsp at all (including server side stapling), because the client requests (like firefox does) are very expensive for them. They want to switch to these outdated local databases included in browsers.
oh .. i see.. so as a web dev, network admin, and so on, i will let everything as now, if the only "problem" i have is that on local i have this issue is not important, what i was worried is that everyone outside could have a problem (cause i host 20+ websites on my server), but if only occours on local, then is ok :D, i can live with that
to talk into the future: Lets encrypt wants to stop supporting ocsp at all (including server side stapling), because the client requests (like firefox does) are very expensive for them. They want to switch to these outdated local databases included in browsers.
i think that firefox should disable this "feature" on his browser, 'cause let's encrypt is used everywhere on internet, not only on my websites :D
To reduce the costs letsencrypt has? Possible, but I think to late and also it has some advantages. When they fully drop it will be like must staple is disabled and firefox check also
let's see in the future, anyway thank you for your help and explanation. if the problem remains on local, also in the future, no problems then :D
in the latests updates i see a strange error happening only in firefox: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING a function tls mandatory is not avaiable (or something similar, i have traslated)
but if i refresh the page the website load normally (i have many websites and all do the same) i tried to renew the certificates yesterday, but no luck, after sometimes the error appears again, and this morning the errors agains no logs on nginx, so i assume is something regarding firefox directly on chromium browsers no errors