Skip to content

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error message in WebGUI when using OCSP-must-staple SSL certificate #3577

New issue
New issue
Open
Open
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error message in WebGUI when using OCSP-must-staple SSL certificate#3577
Assignees
ainar-g
Labels
external libsIssues that require changes in external libraries.researchLooking up ways to improve the product in the future.
@ufufufu

Description

@ufufufu
ufufufu
opened on Sep 10, 2021

Have a question or an idea? Please search it on our forum to make sure it was not yet asked. If you cannot find what you had in mind, please submit it here.

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

Issue Details

  • Version of AdGuard Home server:
    • v0.106.3
  • How did you install AdGuard Home:
    • curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
  • How did you setup DNS configuration:
    • On a CentOS VPS.
  • CPU architecture:
    • AMD64
  • Operating system and version:
    • CentOS 7

Expected Behavior

I run AdGuard Home on CentOS 7 VPS and has encryption enabled (DoH + DoT + DNS-over-QUIC). I use ZeroSSL certificate deployed by acme.sh script. If I use a certificate that has OCSP-must-staple extension issued using the commandline below:-

acme.sh --issue --dns dns_cf --ocsp-must-staple --days 14 -k ec-256 -d domain-name-goes-here.tld ...

I expect that everything will work OK where DoT/DoH/DNS-over-QUIC works and the WebGUI will be opened on SSL connection.

Actual Behavior

But if I were to use a certificate issued via the command line above, DoT/DoH/DNS-over-QUIC still works OK when accessed from my Raspberry Pi that also has AdGuard Home installed. But if I want to open the WebGUI via Mozilla Firefox,the browser will spit out the error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING.

Other browsers like Microsoft Edge has no problem opening the WebGUI.

If I were to use a certificate without OCSP-must-staple extension issued using with the commandline below:-

acme.sh --issue --dns dns_cf --days 14 -k ec-256 -d domain-name-goes-here.tld ...

Everything works OK, and Mozilla Firefox can open the WebGUI.

This problem can also be mitigated if I were to set 'security.ssl.enable_ocsp_must_staple' to FALSE in Firefos's about:config.

Metadata

Metadata

Assignees

Labels

external libsIssues that require changes in external libraries.researchLooking up ways to improve the product in the future.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions