Let's encypt certifitactes not working in firefox OCSP fail about nginx-ui HOT 11 CLOSED

Hi @ashkov, I just push a new commit which revert 1c4fb7a, and please wait for this action complete then you can try to reinstall nginx-ui.

from nginx-ui.

Try to pull this image: uozi/nginx-ui: v2.0.0-beta.18-patch.1 or uozi/nginx-ui:latest

from nginx-ui.

Can you provide more details about this issue, like the configuration file of your site and the reproduce steps of this problem.

from nginx-ui.

我也遇到了，在firefox里首次访问会有问题，刷新一下又好了。可以用无痕模式稳定复现，OCSP这里出了问题，不知道怎么解决。

Secure Connection Failed

An error occurred during a connection to admin.creatly.team. A required TLS feature is missing.

Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

点一下 try again 就好了

from nginx-ui.

from nginx-ui.

This issue may cause by certificate "must staple", introduced in 1c4fb7a.

I think I should a switcher in frontend for user to chose whether they need "must staple" or not.

https://community.letsencrypt.org/t/ssl-cert-issue-mozilla-pkix-error/194269

from nginx-ui.

server {
    set $server 172.25.10.240;
    set $creation_port 8811;
    set $fab_frog_port 11020;
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name admin.creatly.team;
    ssl_certificate /etc/nginx/ssl/*.creatly.team_creatly.team/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/*.creatly.team_creatly.team/private.key;
    include /etc/nginx/include/server_ssl.conf;
    access_log /var/log/nginx/local/admin.creatly.team_access.log main if=$loggable;
    error_log /var/log/nginx/local/admin.creatly.team_error.log warn;
    include /etc/nginx/include/server_security.conf;
    root /var/www/creatly-admin;
    index index.html;
    # 服务端接口
    location /api/admin {
        include /etc/nginx/include/location_proxy.conf;
        proxy_pass http://$server:$creation_port$request_uri;
    }
    location /creation/api/admin/ {
        include /etc/nginx/include/location_proxy.conf;
        proxy_pass http://$server:$creation_port/api/admin/;
    }
    location /miaowa/api/admin/ {
        include /etc/nginx/include/location_proxy.conf;
        proxy_pass http://$server:$fab_frog_port/api/admin/;
    }
    location / {
        try_files $uri $uri/ /index.html;
    }
}

我配置了 ssl_stapling 的，就是首次访问有问题，第2次就好了。因为首次访问，nginx会去异步请求ocsp装订信息并缓存到内存里，这里有一个异步时差，导致首次访问返回给firefox浏览器没有ocsp信息，第2次访问就有了。

但是chrome为什么不报错呢，不知道

from nginx-ui.

我已经被这个问题困扰了很久，貌似无解，期待大神找到解决方法

from nginx-ui.

我有几个很挫的解决方案，仅供参考：

在 Nginx 中配置 ssl_stapling on 并 reload 后，Nginx 并不会马上获取 OCSP Response，它要等第一个请求过来，再发起异步 OCSP 请求，所以刚开始几个响应，很可能不带 OCSP Stapling。另外，有时候由于 OCSP 域名无法解析，或者服务器无法访问造成 OCSP Response 获取失败，也会导致 OCSP Stapling 无法生效。

如何在 Nginx 启动时就进行 OCSP 装订？

相关问答

• How to make OCSP stapling on nginx work：https://matthiasadler.info/blog/ocsp-stapling-on-nginx-with-comodo-ssl/
• Priming the OCSP cache in Nginx：https://unmitigatedrisk.com/?p=241
• [Can I make Nginx automatically OCSP staple certificates at reload/restart?](https://serverfault.com/questions/806329/can-i-make-nginx-automatically-ocsp-staple-certificates-at-reload-restart)

解决方案

两种方案：

1. 在 Nginx 启动后，立刻去访问每个域名，从而能触发 Nginx 去异步请求 OCSP 服务器。
2. 手动获取 OCSP 响应以 DER 编码格式写入到文件里，再使用 'ssl_stapling_file' 指令指向该文件，并定期更新 OCSP 响应。

from nginx-ui.

Please, help, what can I do to request certificate right now without staple, by hands?

I can setup NGINX, but I must copy cert to MailCow, and It does not support staple at all.
So my problem - I can't use IMAPs right now after update.

This issue may cause by certificate "must staple", introduced in 1c4fb7a.

I think I should a switcher in frontend for user to chose whether they need "must staple" or not.

from nginx-ui.

Hi @ashkov, I just push a new commit which revert 1c4fb7a, and please wait for this action complete then you can try to reinstall nginx-ui.

I use docker image

from nginx-ui.