i using x2 cert. i try use china network, happen "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING "
when i disable ocsp_must_staple then site can visit. i think china GWF block ocsp server ip.
Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false
Hello @GodSir and welcome to the community! Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | mydomain.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
test site: m.xiaoyu.net
site server: windows 2022 IIS10 enable tls 1.3 and 1.2
ipv4 network VIRTUA SYSTEMS SAS
I can login to a root shell on my machine yes
I’m using a control panel to manage my site (no)
use china telecom ipv4 network visit site can't open. show "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING",
then setup security.ssl.enable_ocsp_must_staple preference to switch the value from true to false, then site can open.
It seems that there is some kind of filtering in place here.
My analysis shows:
nmap m.xiaoyu.net
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-15 21:18 PST
Nmap scan report for m.xiaoyu.net (185.10.17.74)
Host is up (0.36s latency).
Other addresses for m.xiaoyu.net (not scanned): 2602:fed2:7021::3
rDNS record for 185.10.17.74: mx.xiaoyu.net
Not shown: 994 filtered tcp ports (no-response)
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https
465/tcp open smtps
993/tcp open imaps
Your current cert (crt.sh | 7554475879) has "must staple" enabled (" TLS Feature:
status_request" in the certificate info from crt.sh/OpenSSL).
When "must staple" is enabled, well, the browser expects a stapled OCSP status. If that won't succeed, it gives the error you've shown.
Fixes:
make sure OCSP stapeling is working (note that a stapled OCSP status is different from a separate OCSP request made by the browser. The stapled OCSP status is provided by the webserver in the handshake and should also be configured in the webserver)
if OCSP stapeling is not possible: disable the "must staple" feature in your certificate.