Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING caused by ocsp must staple, SSL labs says stapling is OK

  • 3 replies
  • 1 has this problem
  • 47 views
  • Last reply by Andy Pilate

more options

Hi,

I'm getting a MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error on my website cubox.dev Using Firefox Developer Edition.

Nginx is configured to ocsp response, and disabling this flag in the advanced settings in Firefox fixes this issue, but I can't ask everyone to do that. SSLLabs are indicating that ocsp stapling is working fine: https://www.ssllabs.com/ssltest/analyze.html?d=imonia.fr&s=89.163.242.17&hideResults=on

Could someone tell me why this is an issue? Is there a problem with the way my server is stapling my responses? You can test against my server: cubox.dev

Thanks

All Replies (5)

more options

I'm gonna disable must stapling on my server to fix the issue. I'll bring it back if someone wanna test it. Or give me the commands to run (openssl) and I'll get you the info

Helpful?

more options

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.

When I load https://cubox.dev directly I don't get an error.

Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).

Does it make any difference if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

Helpful?

more options

Shashank Shekhar said

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided. When I load https://cubox.dev directly I don't get an error. Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016). Does it make any difference if you toggle this setting: (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste ocsp and pause while the list is filtered (3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

As I mentionned above, I disabled the "must staple" from my server in order to let firefox users access the site. I'll enable it back so you can test the website again.

I am not using a proxy.

As I mentionned in my initial message (but it was not really clear), disabling the security.ssl.enable_ocsp_must_staple flag does fix this issue. But this cannot be a fix, since I cannot ask every user to do this.

Helpful?

more options

Still a problem with LetsEncrypt, lighttpd web server, and latest Firefox as well as Firefox 81.0.2.

Try this: https://egbert.net/

Helpful?

more options

Strange. Posted a comment earlier. And it's a No-Show. Re-edited this comment.

This is still the exact problem with LetsEncrypt, Firefox 81.0.2.

The setting `security.ssl.enable_ocsp_must_staple preference` is no longer working in `True` or `False.

Try https://egbert.net/

Modified by s.egbert

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.