httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hajo Locke <Hajo.Lo...@gmx.de>
Subject [users@httpd] ssl stapling error - sectigo
Date Wed, 24 Apr 2019 14:22:44 GMT
Hello List,

Apache is 2.4.39, System is Ubuntu 18.04 and 16.04

since yesterday evening we have massive mod_ssl problems with ssl stapling:

Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
AH01941: stapling_renew_response: responder error

We had complaints about slow webpages, this forced us to deactivate
stapling on all our servers.
Affected are certificates of sectigo (previously comodo) with ocsp-url
http://ocsp.sectigo.com
I cant confirm for other providers, we use comodo/sectigo the most.

But it seems there is no basic problem on our system/network because i
can manually confirm ocsp status with openssl on affected machines:

# openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
WARNING: no nonce in response
Response verify OK
crt: good
         This Update: Apr 22 12:46:48 2019 GMT
         Next Update: Apr 26 12:46:48 2019 GMT

I try to figure out on which side problem is. We use basic sslstapling
directives in /etc/apache2/mods-enabled/ssl.conf
this is unchanged for months

SSLUseStapling On
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

Is there somebody who can confirm this behaviour and explain what happens?

Thansk,
Hajo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message