[Case 80597] Apache OCSP stapling not working

[simonas]

Hello, i have server with SSL certs for server itself and for one Domain.
I noticed that SSL stapling is not working:

[Sat Oct 12 18:59:19.188117 2013] [ssl:error] [pid 2113] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Sat Oct 12 18:59:19.188218 2013] [ssl:error] [pid 2113] AH02235: Unable to configure server certificate for stapling

When checking httpd.conf i see:

SSLUseStapling on
SSLStaplingCache shmcb:/usr/local/apache/logs/stapling_cache_shmcb(256000)
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data_shmcb(1024000)

The SSLCACertificateFile directive, which should point to the .pem Cert file is not there.

Is it supposed to be somewhere in the includes, or is it not implemented at all?

I would like to get OCSP stapling going, because it allows the TLS server to include a recent OCSP response in the TLS handshake so that the client doesn't have to perform its own check. This also reduces load on the OCSP server.

Server version: Apache/2.4.6 (Unix)
Cpanel::Easy::Apache v3.22.6 rev9999
OpenSSL 1.0.0-fips 29 Mar 2010
CENTOS 6.4 x86_64 virtuozzo

Thanks,
Simon.

 

[simonas]

Anybody else have that problem?

I have tried adding:

SSLCACertificatePath /usr/local/apache/conf/ssl.crt/

Where the server's Crt is located, but still same errors.

Any help would be appreciated.

 

[cPanelMichael]

Hello

I recommend opening a support ticket via:

Submit A Ticket

You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[simonas]

Thanks , Michael,

Cpanel team is checking it, possible bug with 11.40. This thread will be updated when more information will be available.

 

[cPRichardA]

Hello,

The issue has been observed as a possible bug and an internal case has been filed. It is case 80597 and may be seen in the Change Log when it is addressed in the update.

Hope this helps
Thanks,

 

[dualmonitor]

Are there any updates on this cPRichardA? Should cpanel users still be seeing this? I'm still seeing it on WHM 11.40.1 (build 9) FWIW.

 

[cPanelMichael]

Are there any updates on this cPRichardA? Should cpanel users still be seeing this? I'm still seeing it on WHM 11.40.1 (build 9) FWIW.

Does the issue persist if you reinstall the SSL certificate (with CABundle) for the domain name?

Thank you.

 

[tkcent]

Do you also get the following errors:

[Tue Jan 21 13:33:09.332332 2014] [ssl:error] [pid 19166] AH01941: stapling_renew_response: responder error
[Tue Jan 21 14:05:02.151611 2014] [ssl:error] [pid 20559] (EAI 2)Name or service not known: [client xx.xx.xx.xx:34023] AH01972: could not resolve address of OCSP responder ocsp.certificateprovider.com

For some reason our server could not do a query on ocsp.certificateprovider.com. Putting a correct entry in /etc/hosts and restarting the web server temporarily solved the problem until we could figure out why our DNS was not responding correctly.