[Case 80597] Apache OCSP stapling not working

simonas

Well-Known Member
Apr 21, 2013
141
0
16
Lithuania
cPanel Access Level
Root Administrator
Hello, i have server with SSL certs for server itself and for one Domain.
I noticed that SSL stapling is not working:

[Sat Oct 12 18:59:19.188117 2013] [ssl:error] [pid 2113] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Sat Oct 12 18:59:19.188218 2013] [ssl:error] [pid 2113] AH02235: Unable to configure server certificate for stapling
When checking httpd.conf i see:

SSLUseStapling on
SSLStaplingCache shmcb:/usr/local/apache/logs/stapling_cache_shmcb(256000)
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data_shmcb(1024000)
The SSLCACertificateFile directive, which should point to the .pem Cert file is not there.

Is it supposed to be somewhere in the includes, or is it not implemented at all?

I would like to get OCSP stapling going, because it allows the TLS server to include a recent OCSP response in the TLS handshake so that the client doesn't have to perform its own check. This also reduces load on the OCSP server.

Server version: Apache/2.4.6 (Unix)
Cpanel::Easy::Apache v3.22.6 rev9999
OpenSSL 1.0.0-fips 29 Mar 2010
CENTOS 6.4 x86_64 virtuozzo

Thanks,
Simon.
 
Last edited:

simonas

Well-Known Member
Apr 21, 2013
141
0
16
Lithuania
cPanel Access Level
Root Administrator
Anybody else have that problem?

I have tried adding:

SSLCACertificatePath /usr/local/apache/conf/ssl.crt/

Where the server's Crt is located, but still same errors.

Any help would be appreciated.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

I recommend opening a support ticket via:

Submit A Ticket

You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPRichardA

Technical Trainer
Staff member
Oct 2, 2012
10
0
76
Houston Texas
cPanel Access Level
Root Administrator
Hello,

The issue has been observed as a possible bug and an internal case has been filed. It is case 80597 and may be seen in the Change Log when it is addressed in the update.

Hope this helps
Thanks,
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Are there any updates on this cPRichardA? Should cpanel users still be seeing this? I'm still seeing it on WHM 11.40.1 (build 9) FWIW.
Does the issue persist if you reinstall the SSL certificate (with CABundle) for the domain name?

Thank you.
 

tkcent

Registered
Jan 21, 2014
1
0
1
cPanel Access Level
Root Administrator
Do you also get the following errors:

[Tue Jan 21 13:33:09.332332 2014] [ssl:error] [pid 19166] AH01941: stapling_renew_response: responder error
[Tue Jan 21 14:05:02.151611 2014] [ssl:error] [pid 20559] (EAI 2)Name or service not known: [client xx.xx.xx.xx:34023] AH01972: could not resolve address of OCSP responder ocsp.certificateprovider.com

For some reason our server could not do a query on ocsp.certificateprovider.com. Putting a correct entry in /etc/hosts and restarting the web server temporarily solved the problem until we could figure out why our DNS was not responding correctly.