Firefox says "Secure Connection Failed" but certificate works in Chrome, Edge, Brave, and Opera

SSL report rates as B but indicates "OCSP response is not stapled" and "server's certificate chain is incomplete":

https://www.ssllabs.com/ssltest/analyze.html?d=www.katearbon.com&hideResults=on

Host is www.blacknight.com. Hosting is Linux shared hosting.

I've generated a Let's Encrypt certificate using the Really Simple SSL plugin for WordPress.

I installed certificate.cert and private.pem via control panel using host's instructions:

Control panel is called Odin Panel. Not sure if it's a known panel or bespoke.

Certificate works (i.e. shows lock) in Chrome, Edge, Brave, and Opera but not Firefox. Firefox displays the following warning:

Secure Connection Failed

An error occurred during a connection to katearbon.com. A required TLS feature is missing.

Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.

Kapersky is also blocking access in multiple browsers due what it detects to be an invalid certificate.

1 Like

This server certificate supports OCSP must staple but OCSP response is not stapled

not sure why that client requested must-staple certificate? you will need to config OCSP stapling or get a new certificate withtout OCSP extension
firefox hard fails in this case, chromium-based browsers doesn't care about OCSP IIRC
it's not likely hosting can give proper must-staple, as nginx skips stapling in first connect, and apache does not preload stapling response

3 Likes

I asked host if OCSP stapling is something they need to enable to resolve this. Host said it isn't something they can change on a shared server and that the certificate (how it's configured I presume) is the issue.

you will need to config OCSP stapling or get a new certificate withtout OCSP extension

Based on my host's response, I presume I can't config OCSP stapling. How do I get a new certificate without OCSP extension?

1 Like

looks like its the really-simple one snicked it in, you may need different client go get cert from:
I think you will like a php client : certsage? @griffin

3 Likes

Welcome to the Let's Encrypt Community, Kate :slightly_smiling_face:

Perhaps of concern is that there are no intermediate certificates being served with your certificate:

https://decoder.link/sslchecker/katearbon.com/443

Try using the following as your certificate file along with your existing private key file:

katearbon.pem (5.8 KB)

2 Likes

in addition to that for some reason kate's client (really simple ssl for wordpress) I think it forces(or at least by default) request cert with OCSP must-staple, and her hosting provider doesn't support stapling so it's broken config she will need new certificate

3 Likes

Thanks, Griffin. I've used the katearbon.pem as instructed but Firefox is still displaying the same warning. Perhaps I need to wait a few minutes more for new certificate file to take effect.

2 Likes

Firefox caches all the intermediate certificate it saw. as firefox problem itself was server reply without OSCP staple when certificate have must-staple extension, you will need a new one:

2 Likes

I've inputted email and domains but wasn't sure what to input for:

Code
Contents of this file:
../CertSage/code.txt

...so I left it blank.

I received the following error message:

Trouble...

code was incorrect

If you need help with resolving this issue, please post a topic in the help category of the Let's Encrypt Community.

Click here to start over.

1 Like

that script will put that code.txt file on that folder: look into it using ftp(or whatever you use to put a new file there) and copy the text file's content.

3 Likes

I've used FTP to create a folder named CertSage (same directory as certsage.php) and a file inside it called code.txt.

I'm still receiving the same error message:

Trouble...

code was incorrect

Do I need to input something in the code textbox?

1 Like

ya . download that code.txt: it's content will be changed: paste that into box
iirc code will change every time certsage.php accessed

1 Like

I've opened code.txt. It's blank.

This is the error I get when I try to process the CertSage form.

1 Like

hmmm permission problem? @griffin could you debug this?

1 Like

I've made some progress. I found the CertSage directory (one directory above web root) and copied the contents of code.txt and pasted it into the code textbox. The form has processed.

I've installed certificate.crt and certificate.key. This appears to have resolved the issue with Firefox.

@griffin How did you generate the .pem file you provided me? I'd like to serve intermediate certificates with the new certificate.generated by CertSage.

1 Like

Sorry, was away, but back. Yes, the code.txt changes each time the CertSage page is loaded as @orangepizza correctly mentioned before.

I created it manually by retrieving the certificates from Chain of Trust - Let's Encrypt. You won't need to manually do anything though. :grin: If you look inside the certificate.crt that CertSage generated, you'll see that both of the intermediate certificates are in that file already because CertSage downloads the correct full chain directly from Let's Encrypt every time you generate a certificate.

1 Like

If you're giving the interface the certificate file containing the full chain and it's only using the first certificate (your leaf certificate), that's rather strange. Is there a "CA certificate" or "CA bundle" upload?

2 Likes

[...] both of the intermediate certificates are in that file already because CertSage downloads the correct full chain directly from Let's Encrypt every time you generate a certificate.

That's great. The SSL checker you linked to earlier says:

Chain Issues: The chain doesn't contain any intermediate certificates

https://decoder.link/sslchecker/katearbon.com/443

Is this of concern?

1 Like

Yes, there's an "Install CA certificate" upload.

screenshot.2021-10-07 (3)

2 Likes

Yes, because without the intermediates, many browsers may struggle to verify. Many modern ones (like Chrome/Chromium) will be OK with just the leaf though.

2 Likes