I'm getting this error when I try to connect to my website using Firefox (no issue with Chrome): MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING.
It seems to be related to OCSP Must-Staple.
What exactly do I need to do to fix this Must-Staple thing? Do I need to recreate the certificate with a specific switch?
My domain is: jarjar.blog
My web server is : Apache 2
The operating system my web server runs on is (include version): Debian
Correct. The certificate currently send by your webserver has the status_request TLS Extension (a.k.a. "must staple"). Therefore, your Apache is required to send an OCSP response stapled in the TLS ClientHello. But it doesn't.
Also, your Apache is not sending the correct chain: it just sends the end leaf certificate without any intermediate certificate.
Thus, you have two issues.
As Let's Encrypt is ending OCSP support to begin with (Ending OCSP Support in 2025 - Let's Encrypt), it's probably a good idea to NOT include the "must staple" TLS Extension in your certificate.
By the way, you seem to have two separate certificates for your domain: crt.sh | jarjar.blog. One wildcard cert for jarjar.blog and *.jarjar.blog with "must staple" enabled and currently in use and a later one for jarjar.blog, mail.jarjar.blog and www.jarjar.blog without the "must staple" extension, but only in use for mail.jarjar.blog.
Solution:
How?
I dunno, because you have not provided enough information with regard to your certificate issuance and management.
Awesome answer! Thank you!
So, I regenerated the certificate with Certbot, and it seems better now.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.