starred/AdGuardHome

Fork 0

mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error message in WebGUI when using OCSP-must-staple SSL certificate #3028

New issue

Open

opened 2026-03-04 02:51:56 -05:00 by deekerman · 1 comment

deekerman commented

2026-03-04 02:51:56 -05:00

Owner

Originally created by @ufufufu on GitHub (Sep 9, 2021).

Originally assigned to: @ainar-g on GitHub.

Have a question or an idea? Please search it on our forum to make sure it was not yet asked. If you cannot find what you had in mind, please submit it here.

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

I am running the latest version
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed

Issue Details

Version of AdGuard Home server:
- v0.106.3
How did you install AdGuard Home:
- curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
How did you setup DNS configuration:
- On a CentOS VPS.
CPU architecture:
- AMD64
Operating system and version:
- CentOS 7

Expected Behavior

I run AdGuard Home on CentOS 7 VPS and has encryption enabled (DoH + DoT + DNS-over-QUIC). I use ZeroSSL certificate deployed by acme.sh script. If I use a certificate that has OCSP-must-staple extension issued using the commandline below:-

acme.sh --issue --dns dns_cf --ocsp-must-staple --days 14 -k ec-256 -d domain-name-goes-here.tld ...

I expect that everything will work OK where DoT/DoH/DNS-over-QUIC works and the WebGUI will be opened on SSL connection.

Actual Behavior

But if I were to use a certificate issued via the command line above, DoT/DoH/DNS-over-QUIC still works OK when accessed from my Raspberry Pi that also has AdGuard Home installed. But if I want to open the WebGUI via Mozilla Firefox,the browser will spit out the error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING.

Other browsers like Microsoft Edge has no problem opening the WebGUI.

If I were to use a certificate without OCSP-must-staple extension issued using with the commandline below:-

acme.sh --issue --dns dns_cf --days 14 -k ec-256 -d domain-name-goes-here.tld ...

Everything works OK, and Mozilla Firefox can open the WebGUI.

This problem can also be mitigated if I were to set 'security.ssl.enable_ocsp_must_staple' to FALSE in Firefos's about:config.

Originally created by @ufufufu on GitHub (Sep 9, 2021). Originally assigned to: @ainar-g on GitHub. Have a question or an idea? Please search it [on our forum](https://github.com/AdguardTeam/AdGuardHome/discussions) to make sure it was not yet asked. If you cannot find what you had in mind, please [submit it here](https://github.com/AdguardTeam/AdGuardHome/discussions/new). ### Prerequisites Please answer the following questions for yourself before submitting an issue. **YOU MAY DELETE THE PREREQUISITES SECTION.** - [X] I am running the latest version - [X] I checked the documentation and found no answer - [X] I checked to make sure that this issue has not already been filed ### Issue Details  * **Version of AdGuard Home server:** * v0.106.3 * **How did you install AdGuard Home:** * `curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v` * **How did you setup DNS configuration:** * On a CentOS VPS. * **CPU architecture:** * AMD64 * **Operating system and version:** * CentOS 7 ### Expected Behavior I run AdGuard Home on CentOS 7 VPS and has encryption enabled (DoH + DoT + DNS-over-QUIC). I use ZeroSSL certificate deployed by acme.sh script. If I use a certificate that has OCSP-must-staple extension issued using the commandline below:- `acme.sh --issue --dns dns_cf --ocsp-must-staple --days 14 -k ec-256 -d domain-name-goes-here.tld ...` I expect that everything will work OK where DoT/DoH/DNS-over-QUIC works and the WebGUI will be opened on SSL connection. ### Actual Behavior But if I were to use a certificate issued via the command line above, DoT/DoH/DNS-over-QUIC still works OK when accessed from my Raspberry Pi that also has AdGuard Home installed. But if I want to open the WebGUI via Mozilla Firefox,the browser will spit out the error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING. Other browsers like Microsoft Edge has no problem opening the WebGUI. If I were to use a certificate without OCSP-must-staple extension issued using with the commandline below:- `acme.sh --issue --dns dns_cf --days 14 -k ec-256 -d domain-name-goes-here.tld ...` Everything works OK, and Mozilla Firefox can open the WebGUI. This problem can also be mitigated if I were to set 'security.ssl.enable_ocsp_must_staple' to FALSE in Firefos's about:config.

deekerman added the

external libs

research

labels

2026-03-04 02:51:56 -05:00

deekerman commented

2026-03-04 02:52:05 -05:00

Author

Owner

@ainar-g commented on GitHub (Sep 10, 2021):

Hello and thanks for the report. Unfortunately, it seems like the Go standard library doesn't support this feature currently. There is an accepted proposal from 2008, but it seems like there still isn't an implementation.

@ainar-g commented on GitHub (Sep 10, 2021): Hello and thanks for the report. Unfortunately, it seems like the Go standard library doesn't support this feature currently. There is an [accepted proposal] from 2008, but it seems like there still isn't an implementation. [accepted proposal]: https://github.com/golang/go/issues/22274

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#3028

No description provided.

Rows
Columns