The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 80597] Apache OCSP stapling not working

Discussion in 'EasyApache' started by simonas, Oct 12, 2013.

  1. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Hello, i have server with SSL certs for server itself and for one Domain.
    I noticed that SSL stapling is not working:

    When checking httpd.conf i see:

    The SSLCACertificateFile directive, which should point to the .pem Cert file is not there.

    Is it supposed to be somewhere in the includes, or is it not implemented at all?

    I would like to get OCSP stapling going, because it allows the TLS server to include a recent OCSP response in the TLS handshake so that the client doesn't have to perform its own check. This also reduces load on the OCSP server.

    Server version: Apache/2.4.6 (Unix)
    Cpanel::Easy::Apache v3.22.6 rev9999
    OpenSSL 1.0.0-fips 29 Mar 2010
    CENTOS 6.4 x86_64 virtuozzo

    Thanks,
    Simon.
     
    #1 simonas, Oct 12, 2013
    Last edited: Oct 12, 2013
  2. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Anybody else have that problem?

    I have tried adding:

    SSLCACertificatePath /usr/local/apache/conf/ssl.crt/

    Where the server's Crt is located, but still same errors.

    Any help would be appreciated.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Thanks , Michael,

    Cpanel team is checking it, possible bug with 11.40. This thread will be updated when more information will be available.
     
  5. cPRichardA

    cPRichardA Technical Sales Engineer
    Staff Member

    Joined:
    Oct 2, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    The issue has been observed as a possible bug and an internal case has been filed. It is case 80597 and may be seen in the Change Log when it is addressed in the update.

    Hope this helps
    Thanks,
     
  6. dualmonitor

    dualmonitor Active Member

    Joined:
    Dec 3, 2012
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Are there any updates on this cPRichardA? Should cpanel users still be seeing this? I'm still seeing it on WHM 11.40.1 (build 9) FWIW.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Does the issue persist if you reinstall the SSL certificate (with CABundle) for the domain name?

    Thank you.
     
  8. tkcent

    tkcent Registered

    Joined:
    Jan 21, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Do you also get the following errors:

    [Tue Jan 21 13:33:09.332332 2014] [ssl:error] [pid 19166] AH01941: stapling_renew_response: responder error
    [Tue Jan 21 14:05:02.151611 2014] [ssl:error] [pid 20559] (EAI 2)Name or service not known: [client xx.xx.xx.xx:34023] AH01972: could not resolve address of OCSP responder ocsp.certificateprovider.com

    For some reason our server could not do a query on ocsp.certificateprovider.com. Putting a correct entry in /etc/hosts and restarting the web server temporarily solved the problem until we could figure out why our DNS was not responding correctly.
     
Loading...
Similar Threads - [Case 80597] Apache
  1. guldvog
    Replies:
    10
    Views:
    1,676

Share This Page