SSL Cert Issue MOZILLA_PKIX_ERROR_

medinka · March 10, 2023, 1:17pm

Hello,

I run into the same issue as in this topic going through the same steps of generating certs with Simple SSL in wordpress, manually installing certificates through the odin cp panel on blacknight solutions website, Firefox says "Secure Connection Failed" but certificate works in Chrome, Edge, Brave, and Opera

Certificate works on all browsers apart from mozlilla firefox giving me below error code

Secure Connection Failed

An error occurred during a connection to pynespreserves.ie. A required TLS feature is missing.

Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

My domain is: www.pynespreserves.ie

I have contacted provider who suggested that the SSl cert installed on the domain lacks the required TLS security and needs to be replaced with something more up to date.
I have also read the above topic and i went through this website to check but no issues detected https://decoder.link/sslchecker/pynespreserves.ie/443 , I am only new to the website development and CMS, would there be anybody to advise on how to solve this problem? @griffin would you possibly know the solution?

Thank you.

Osiris · March 10, 2023, 1:48pm

Your certificate has the "must staple" TLS extension enabled. This requires OCSP stapling on the webserver, which is not the case. Browsers will reject the connection if the certificate requires OCSP stapling, but the webserver does not staple an OCSP response.

Solution: enable OCSP stapling on your webserver

Alternative solution: get a cert without the "must staple" extension enabled.

medinka · March 10, 2023, 2:18pm

Thank you,
I don't think I can enable OCSP on the server itself, so I went to disable the OCSP in the Really Simple SSL and generated new certificates with this option disabled. They are now re uploaded to include ca bundle. The website still doesn't display on the mozilla but I am now also getting this message on wordpress:

Warning: An option that requires the .htaccess file is enabled, but the file does not exist. Please add the following lines to your .htaccess, or set it to writable:
Options -Indexes

Osiris · March 10, 2023, 5:11pm

Currently, I still see a certificate from yesterday with the "must staple" feature enabled. And when looking at Certificate Log search sites (e.g. crt.sh | pynespreserves.ie but performance is pretty low on that site currently), I don't see a new certificate from today? Are you sure you've generated a new certificate?

medinka · March 10, 2023, 7:31pm

It must have not saved properly before, thank you for pointing this out to me. I went in there just now again and generated this once again, uploaded to cp and fingers crossed it seems to be working now, at least for me. I am still getting the .htaccess warning on the Really Simple plugin but I may just leave it. Thank you for help.

Osiris · March 10, 2023, 7:34pm

Seems to be good now, indeed.

I have no idea what that warning is all about. And I'm pretty sure it's outside of the scope of this Community

system · April 9, 2023, 7:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.