I was trying to integrate a probe for https://www.mapper.ntppool.org/ into one of my web pages, but found that it is not working at least with Firefox default settings. The issue seems to relate to OCSP stapling:
The certificate on www.mapper.ntppools requires the browser to ensure a stapled OCSP response is present in the TLS handshake. However, it seems the server is not including such a stapled OCSP response, thus Firefox refuses to load the resource behind the URL.
@PoolMUC welcome to the community!
Correct observation, the server should send the OCSP status response, or the certificate should not contain the “OCSP must staple” option.
https://www.ssllabs.com/ssltest/analyze.html?d=www.mapper.ntppool.org
I see the same on ssllabs.com, but I can’t figure out where in the certificate it’s set.
I don’t see in openssl s_client -connect www.mapper.ntppool.org:443 | openssl x509 -noout -text where OCSP must-staple comes from? (I also had trouble finding other examples on the internet with that attribute to compare …)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mapper.ntppool.org
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:9d:b4:09:e5:bb:bc:4c:87:13:8f:42:cf:c9:2e:32:8e:4f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Jun 13 23:49:46 2023 GMT
Not After : Sep 11 23:49:45 2023 GMT
Subject: CN = mapper.ntppool.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f8:06:f3:ad:ce:d9:24:a5:30:c9:85:2d:db:19:
68:24:d7:0b:b2:77:8a:cc:d2:a0:49:95:9e:9a:cc:
b5:a5:d8:2f:10:e8:e7:d6:18:d6:68:2c:9d:90:df:
e0:06:fb:56:f8:6c:ec:75:18:50:23:37:3e:11:c0:
c0:df:d8:6e:43:fb:dc:54:4c:a4:42:79:ed:44:f6:
dd:f0:82:d5:82:18:41:04:ae:d3:9a:ee:6c:5a:e8:
06:79:cf:27:43:eb:6d:52:e4:22:fe:e7:d7:b0:bc:
82:1f:12:f8:37:d0:26:c9:c3:ce:31:73:6a:8e:3b:
b2:0f:24:7e:b8:7b:2e:c8:3c:02:6e:73:f3:e7:1a:
6b:b5:2b:5b:c6:14:0c:1b:f0:d5:c7:f8:db:30:08:
4f:12:b3:95:f6:c9:cf:a2:7d:45:56:2b:f3:73:82:
27:40:c3:75:e1:52:8b:69:2c:2b:6c:db:8d:a3:d7:
82:87:61:cf:aa:36:4f:43:05:6d:f5:ce:ea:a8:09:
0c:a9:47:cc:d7:b8:b4:fd:a8:78:cb:d5:77:de:e0:
e1:17:db:d8:d0:d4:13:32:54:15:6f:18:3f:70:97:
cd:f8:5b:45:6d:4e:12:65:f5:25:cf:08:3d:e3:61:
e1:8f:9a:3f:66:77:72:e7:93:64:73:a3:1e:31:b8:
47:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
13:18:BF:8D:2E:B4:01:FC:90:F8:7D:AE:F3:C2:FF:6E:EA:07:DC:D7
X509v3 Authority Key Identifier:
14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.mapper.ntppool.org, DNS:mapper.ntppool.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Jun 14 00:49:46.112 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DA:2B:04:3A:5A:72:9C:C6:C4:C8:E4:
8A:E1:71:E1:10:30:DD:0D:74:6C:4A:0D:76:3B:FA:BE:
DA:EA:E8:0C:E5:02:21:00:95:12:4A:4B:F2:18:82:86:
63:BE:97:C7:B0:40:67:E0:9A:1F:F5:EF:82:64:96:1B:
89:A3:B4:0A:BC:94:44:D8
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
Timestamp : Jun 14 00:49:46.135 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:BF:74:68:D9:64:DD:10:F9:34:FF:03:
DC:37:69:A6:D8:DF:BD:59:4A:9E:80:52:73:78:5D:F2:
F2:0C:A6:5D:07:02:21:00:84:81:63:2C:C1:85:00:0B:
DD:DC:FE:F6:D4:E6:80:15:7A:B7:CA:0C:E6:CC:23:FF:
DC:5C:B6:1A:FA:8E:FD:5B
TLS Feature:
status_request
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
40:e7:8f:aa:7c:1a:e0:f9:c2:d8:4d:c6:9b:8c:23:05:a7:47:
a0:74:73:cf:9f:da:24:1e:80:e5:26:b6:ac:ad:07:ef:57:16:
f6:9c:7a:24:ba:d7:32:dc:9a:3d:db:45:7e:b7:e4:a0:bb:d8:
62:e1:e3:99:2f:0b:92:30:9c:45:0d:a3:7e:53:e0:81:2b:e0:
e8:66:1a:0a:19:98:2f:cc:95:8f:b8:eb:7c:e5:11:02:9f:f8:
4f:e5:95:35:56:50:e7:6c:64:9e:28:0e:c7:42:ff:77:90:40:
21:76:fc:bf:d0:24:a9:ab:62:9d:20:5b:31:3c:e4:10:96:34:
19:ee:6f:b8:79:f7:3d:d2:73:da:35:b8:8c:7d:a8:f3:65:06:
56:d3:e4:aa:ef:00:2a:e4:06:c6:bc:0f:71:43:be:42:c1:3a:
36:e7:b7:4f:c2:6c:b0:c3:23:13:4c:68:2f:7e:78:7f:e2:63:
7c:41:37:ea:04:46:5b:89:3a:9c:b4:82:51:25:44:ed:d7:42:
a0:5a:03:94:41:e9:c8:fd:21:68:34:94:ec:ff:9e:21:e8:f6:
c2:9f:70:8f:5e:2b:2d:e2:cd:35:27:8b:fd:d9:30:c8:4e:c8:
2e:0b:72:73:1a:a5:7a:c6:bb:4f:99:a8:4a:05:11:6d:33:4d:
7a:dc:1e:33
It is:
TLS Feature:
status_request
Ah, how obscure! Thank you (and to @PoolMUC), it’ll be fixed shortly.
Thanks @ask for addressing this, looking good now.
Thanks @NTPman for the welcome and support on this matter.
It looks like the certificate of www.mapper.ntppool.org is not renewed automatically, the connection is failing now. Please note that Letsencrypt is not supporting OCSP for certificate revokation information any more, only CRL.
Now, I see that a not so recent, but valid certificate is applied to the web site.