kerem commented

Owner

Originally created by @zero8d on GitHub (Feb 29, 2024).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/322

Let's encypt certifitactes not working in firefox OCSP fail

Originally created by @zero8d on GitHub (Feb 29, 2024). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/322 Let's encypt certifitactes not working in firefox OCSP fail

kerem

2026-03-01 15:34:37 +03:00

closed this issue
added the
bug
label

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@0xJacky commented on GitHub (Feb 29, 2024):

Can you provide more details about this issue, like the configuration file of your site and the reproduce steps of this problem.

@0xJacky commented on GitHub (Feb 29, 2024): Can you provide more details about this issue, like the configuration file of your site and the reproduce steps of this problem.

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@jearton commented on GitHub (Mar 4, 2024):

我也遇到了，在firefox里首次访问会有问题，刷新一下又好了。可以用无痕模式稳定复现，OCSP这里出了问题，不知道怎么解决。

Secure Connection Failed

An error occurred during a connection to admin.creatly.team. A required TLS feature is missing.

Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

点一下 try again 就好了

@jearton commented on GitHub (Mar 4, 2024): 我也遇到了，在firefox里首次访问会有问题，刷新一下又好了。可以用无痕模式稳定复现，OCSP这里出了问题，不知道怎么解决。 ![image](https://github.com/0xJacky/nginx-ui/assets/10370433/915b646f-23bf-4ffa-bd21-d01d652fa805) Secure Connection Failed An error occurred during a connection to admin.creatly.team. A required TLS feature is missing. Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. 点一下 try again 就好了

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@jearton commented on GitHub (Mar 4, 2024):

@jearton commented on GitHub (Mar 4, 2024): ![image](https://github.com/0xJacky/nginx-ui/assets/10370433/26623048-3986-47a7-b06d-ec7104fa7ea5) ![image](https://github.com/0xJacky/nginx-ui/assets/10370433/5b88d11f-6707-48e9-a9de-783b3245c4d0)

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@0xJacky commented on GitHub (Mar 4, 2024):

This issue may cause by certificate "must staple", introduced in 1c4fb7afcc.

I think I should a switcher in frontend for user to chose whether they need "must staple" or not.

https://community.letsencrypt.org/t/ssl-cert-issue-mozilla-pkix-error/194269

@0xJacky commented on GitHub (Mar 4, 2024): This issue may cause by certificate "must staple", introduced in 1c4fb7afcc6ba2dfc46c31c44f36e1c3b74836b7. I think I should a switcher in frontend for user to chose whether they need "must staple" or not. https://community.letsencrypt.org/t/ssl-cert-issue-mozilla-pkix-error/194269 <img width="881" alt="image" src="https://github.com/0xJacky/nginx-ui/assets/13096985/58d67490-c30a-48a4-87dc-3ed93dae633a">

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@jearton commented on GitHub (Mar 4, 2024):

server {
    set $server 172.25.10.240;
    set $creation_port 8811;
    set $fab_frog_port 11020;
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name admin.creatly.team;
    ssl_certificate /etc/nginx/ssl/*.creatly.team_creatly.team/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/*.creatly.team_creatly.team/private.key;
    include /etc/nginx/include/server_ssl.conf;
    access_log /var/log/nginx/local/admin.creatly.team_access.log main if=$loggable;
    error_log /var/log/nginx/local/admin.creatly.team_error.log warn;
    include /etc/nginx/include/server_security.conf;
    root /var/www/creatly-admin;
    index index.html;
    # 服务端接口
    location /api/admin {
        include /etc/nginx/include/location_proxy.conf;
        proxy_pass http://$server:$creation_port$request_uri;
    }
    location /creation/api/admin/ {
        include /etc/nginx/include/location_proxy.conf;
        proxy_pass http://$server:$creation_port/api/admin/;
    }
    location /miaowa/api/admin/ {
        include /etc/nginx/include/location_proxy.conf;
        proxy_pass http://$server:$fab_frog_port/api/admin/;
    }
    location / {
        try_files $uri $uri/ /index.html;
    }
}

我配置了 ssl_stapling 的，就是首次访问有问题，第2次就好了。因为首次访问，nginx会去异步请求ocsp装订信息并缓存到内存里，这里有一个异步时差，导致首次访问返回给firefox浏览器没有ocsp信息，第2次访问就有了。

但是chrome为什么不报错呢，不知道

@jearton commented on GitHub (Mar 4, 2024): ```nginx server { set $server 172.25.10.240; set $creation_port 8811; set $fab_frog_port 11020; listen 80; listen [::]:80; listen 443 ssl; listen [::]:443 ssl; http2 on; server_name admin.creatly.team; ssl_certificate /etc/nginx/ssl/*.creatly.team_creatly.team/fullchain.cer; ssl_certificate_key /etc/nginx/ssl/*.creatly.team_creatly.team/private.key; include /etc/nginx/include/server_ssl.conf; access_log /var/log/nginx/local/admin.creatly.team_access.log main if=$loggable; error_log /var/log/nginx/local/admin.creatly.team_error.log warn; include /etc/nginx/include/server_security.conf; root /var/www/creatly-admin; index index.html; # 服务端接口 location /api/admin { include /etc/nginx/include/location_proxy.conf; proxy_pass http://$server:$creation_port$request_uri; } location /creation/api/admin/ { include /etc/nginx/include/location_proxy.conf; proxy_pass http://$server:$creation_port/api/admin/; } location /miaowa/api/admin/ { include /etc/nginx/include/location_proxy.conf; proxy_pass http://$server:$fab_frog_port/api/admin/; } location / { try_files $uri $uri/ /index.html; } } ``` ![image](https://github.com/0xJacky/nginx-ui/assets/10370433/6b0cd969-bb8c-47f4-80b4-768e55988149) 我配置了 ssl_stapling 的，就是首次访问有问题，第2次就好了。因为首次访问，nginx会去异步请求ocsp装订信息并缓存到内存里，这里有一个异步时差，导致首次访问返回给firefox浏览器没有ocsp信息，第2次访问就有了。但是chrome为什么不报错呢，不知道

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@jearton commented on GitHub (Mar 4, 2024):

我已经被这个问题困扰了很久，貌似无解，期待大神找到解决方法

@jearton commented on GitHub (Mar 4, 2024): 我已经被这个问题困扰了很久，貌似无解，期待大神找到解决方法

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@jearton commented on GitHub (Mar 4, 2024):

我有几个很挫的解决方案，仅供参考：

在 Nginx 中配置 ssl_stapling on 并 reload 后，Nginx 并不会马上获取 OCSP Response，它要等第一个请求过来，再发起异步 OCSP 请求，所以刚开始几个响应，很可能不带 OCSP Stapling。另外，有时候由于 OCSP 域名无法解析，或者服务器无法访问造成 OCSP Response 获取失败，也会导致 OCSP Stapling 无法生效。

如何在 Nginx 启动时就进行 OCSP 装订？

解决方案

两种方案：

在 Nginx 启动后，立刻去访问每个域名，从而能触发 Nginx 去异步请求 OCSP 服务器。
手动获取 OCSP 响应以 DER 编码格式写入到文件里，再使用 'ssl_stapling_file' 指令指向该文件，并定期更新 OCSP 响应。

@jearton commented on GitHub (Mar 4, 2024): 我有几个很挫的解决方案，仅供参考：在 Nginx 中配置 `ssl_stapling on` 并 reload 后，Nginx 并不会马上获取 OCSP Response，它要等第一个请求过来，再发起异步 OCSP 请求，所以刚开始几个响应，很可能不带 OCSP Stapling。另外，有时候由于 OCSP 域名无法解析，或者服务器无法访问造成 OCSP Response 获取失败，也会导致 OCSP Stapling 无法生效。 ### 如何在 Nginx 启动时就进行 OCSP 装订？ #### 相关问答 * How to make OCSP stapling on nginx work：[https://matthiasadler.info/blog/ocsp-stapling-on-nginx-with-comodo-ssl/](https://matthiasadler.info/blog/ocsp-stapling-on-nginx-with-comodo-ssl/) * Priming the OCSP cache in Nginx：[https://unmitigatedrisk.com/?p=241](https://unmitigatedrisk.com/?p=241) * [[Can I make Nginx automatically OCSP staple certificates at reload/restart?](https://serverfault.com/questions/806329/can-i-make-nginx-automatically-ocsp-staple-certificates-at-reload-restart)](https://serverfault.com/questions/806329/can-i-make-nginx-automatically-ocsp-staple-certificates-at-reload-restart) #### 解决方案两种方案： 1. 在 Nginx 启动后，立刻去访问每个域名，从而能触发 Nginx 去异步请求 OCSP 服务器。 2. 手动获取 OCSP 响应以 DER 编码格式写入到文件里，再使用 'ssl_stapling_file' 指令指向该文件，并定期更新 OCSP 响应。

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@ashkov commented on GitHub (Mar 14, 2024):

Please, help, what can I do to request certificate right now without staple, by hands?

I can setup NGINX, but I must copy cert to MailCow, and It does not support staple at all.
So my problem - I can't use IMAPs right now after update.

This issue may cause by certificate "must staple", introduced in 1c4fb7a.

I think I should a switcher in frontend for user to chose whether they need "must staple" or not.

@ashkov commented on GitHub (Mar 14, 2024): Please, help, what can I do to request certificate right now without staple, by hands? I can setup NGINX, but I must copy cert to MailCow, and It does not support staple at all. So my problem - I can't use IMAPs right now after update. > This issue may cause by certificate "must staple", introduced in [1c4fb7a](https://github.com/0xJacky/nginx-ui/commit/1c4fb7afcc6ba2dfc46c31c44f36e1c3b74836b7). > > I think I should a switcher in frontend for user to chose whether they need "must staple" or not.

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@0xJacky commented on GitHub (Mar 14, 2024):

Hi @ashkov, I just push a new commit which revert 1c4fb7a, and please wait for this action complete then you can try to reinstall nginx-ui.

@0xJacky commented on GitHub (Mar 14, 2024): Hi @ashkov, I just push a new commit which revert [1c4fb7a](https://github.com/0xJacky/nginx-ui/commit/1c4fb7afcc6ba2dfc46c31c44f36e1c3b74836b7), and please wait for this [action]( https://github.com/0xJacky/nginx-ui/actions/runs/8277651913) complete then you can try to reinstall nginx-ui.

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@ashkov commented on GitHub (Mar 14, 2024):

Hi @ashkov, I just push a new commit which revert 1c4fb7a, and please wait for this action complete then you can try to reinstall nginx-ui.

I use docker image

@ashkov commented on GitHub (Mar 14, 2024): > Hi @ashkov, I just push a new commit which revert [1c4fb7a](https://github.com/0xJacky/nginx-ui/commit/1c4fb7afcc6ba2dfc46c31c44f36e1c3b74836b7), and please wait for this [action](https://github.com/0xJacky/nginx-ui/actions/runs/8277651913) complete then you can try to reinstall nginx-ui. I use docker image

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@0xJacky commented on GitHub (Mar 14, 2024):

Try to pull this image: uozi/nginx-ui: v2.0.0-beta.18-patch.1 or uozi/nginx-ui:latest

@0xJacky commented on GitHub (Mar 14, 2024): Try to pull this image: uozi/nginx-ui: v2.0.0-beta.18-patch.1 or uozi/nginx-ui:latest

kerem commented

2026-03-01 15:34:38 +03:00

Author

Owner

@l333l commented on GitHub (Dec 8, 2024):

这个我今天也遇到过这个问题，我是通过docker compose部署，下面是我解决办法，
部署前要映射 /var/cache/nginx这个目录
然后就是
sudo touch /var/cache/nginx/ocsp.stapling #这里是你服务器实际的路径
创建ocsp.stapling

sudo chown -R nginx:nginx /var/cache/nginx #服务器路径
sudo chmod -R 755 /var/cache/nginx #服务器路径
设置权限

openssl ocsp -issuer /root/中间证书.pem -cert /root/证书.crt -url http://ocsp.responder.com -respout /var/cache/nginx/ocsp.stapling

-issuer 后面换成域名证书的中间证书的路径(服务器的路径，不是docker里面的)

-cert 后面换成域名证书的路径

/var/cache/nginx/ocsp.stapling 换成服务器实际的路径，就是你部署映射的路径

http://ocsp.responder.com 换成实际的OCSP响应者的URL

要获取OCSP响应者（Online Certificate Status Protocol）的URL，您可以按照以下步骤进行：

查看证书信息：打开您的证书，进入“详细信息”或“扩展”部分。
找到“授权信息访问”（Authority Information Access）：在这里，您会看到OCSP响应者的URL。
(就是点浏览器那个🔒，然后看自己的证书，每个都点开来看，有看到OCSP url 类似字眼，就是URL了)

改好你的信息，然后运行

openssl ocsp -issuer /root/中间证书.pem -cert /root/证书.crt -url http://ocsp.responder.com -respout /var/cache/nginx/ocsp.stapling

然后ocsp.stapling 这个大小就会有变化，就成功了，然后再通过按页面按nginx重启或者重置都成功了，就没有报错了

这是我配置的我是直接配置在nginx.conf文件里的

配置 SSL Stapling

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/中间证书.pem; 
ssl_stapling_file /var/cache/nginx/ocsp.stapling;

@l333l commented on GitHub (Dec 8, 2024): 这个我今天也遇到过这个问题，我是通过docker compose部署，下面是我解决办法，部署前要映射 /var/cache/nginx这个目录然后就是 sudo touch /var/cache/nginx/ocsp.stapling #这里是你服务器实际的路径创建ocsp.stapling sudo chown -R nginx:nginx /var/cache/nginx #服务器路径 sudo chmod -R 755 /var/cache/nginx #服务器路径设置权限 openssl ocsp -issuer /root/中间证书.pem -cert /root/证书.crt -url http://ocsp.responder.com -respout /var/cache/nginx/ocsp.stapling -issuer 后面换成域名证书的中间证书的路径(服务器的路径，不是docker里面的) -cert 后面换成域名证书的路径 /var/cache/nginx/ocsp.stapling 换成服务器实际的路径，就是你部署映射的路径 http://ocsp.responder.com 换成实际的OCSP响应者的URL 要获取OCSP响应者（Online Certificate Status Protocol）的URL，您可以按照以下步骤进行： 1. **查看证书信息**：打开您的证书，进入“详细信息”或“扩展”部分。 2. **找到“授权信息访问”（Authority Information Access）**：在这里，您会看到OCSP响应者的URL。 (就是点浏览器那个🔒，然后看自己的证书，每个都点开来看，有看到OCSP url 类似字眼，就是URL了) 改好你的信息，然后运行 ``` openssl ocsp -issuer /root/中间证书.pem -cert /root/证书.crt -url http://ocsp.responder.com -respout /var/cache/nginx/ocsp.stapling ``` 然后ocsp.stapling 这个大小就会有变化，就成功了，然后再通过按页面按nginx重启或者重置都成功了，就没有报错了这是我配置的我是直接配置在nginx.conf文件里的 # 配置 SSL Stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/中间证书.pem; ssl_stapling_file /var/cache/nginx/ocsp.stapling;

Rows
Columns

[GH-ISSUE #322] Let's encypt certifitactes not working in firefox OCSP fail #4609

如何在 Nginx 启动时就进行 OCSP 装订？

相关问答

解决方案

配置 SSL Stapling