Hi all!
Writing this to be sure this issue really is addressed, and that there might be light at the end of the tunnel.
First of, using latest everything, whm/cpanel, kernel, all.
Also, I have read all the posts here on the forum about people having the same issue, and all the workaround solutions, which are bad.
So, base of the problem:
Now, many of you see this every day. Some of you have done: "SSLUseStapling off" and some of you might have increased the: "SSLStaplingResponderTimeout" and some of you have this issue, but don't even know about it.
I have done them too. I currently just have Stapling turned off, because increasing the timeout, makes the darn handshake take like 6-11 seconds, and what's up with that?!?
What I need to know, a) is this issue actually addressed with Comodo / Sectigo, and are they actually doing something? OR b) would it be just better to go with Let's Encrypt?
The fact is, and I have several servers with Let's Encrypt, there is no OCSP Responder problem with any of those.
I do NOT want to keep Stapling off and just forget about it. Working Stapling makes the handshake so much faster. So, where are we on this?
p.s. this is from my server where Comodo / Sectigo SSL is used:
So, as far as I see this, it's just matter of slow responses from OCSP server(s). If I'm wrong, educate me please.
Thanks,
- Wallu
Writing this to be sure this issue really is addressed, and that there might be light at the end of the tunnel.
First of, using latest everything, whm/cpanel, kernel, all.
Also, I have read all the posts here on the forum about people having the same issue, and all the workaround solutions, which are bad.
So, base of the problem:
Code:
[Thu Jan 30 11:07:00.925036 2020] [ssl:error] [pid 1336702:tid 47358379804416] (70007)The timeout specified has expired: [client 109.xxx.xx.xx:3838] AH01985: error reading response from OCSP server
[Thu Jan 30 11:07:00.925099 2020] [ssl:error] [pid 1336702:tid 47358379804416] AH01941: stapling_renew_response: responder error
I have done them too. I currently just have Stapling turned off, because increasing the timeout, makes the darn handshake take like 6-11 seconds, and what's up with that?!?
What I need to know, a) is this issue actually addressed with Comodo / Sectigo, and are they actually doing something? OR b) would it be just better to go with Let's Encrypt?
The fact is, and I have several servers with Let's Encrypt, there is no OCSP Responder problem with any of those.
I do NOT want to keep Stapling off and just forget about it. Working Stapling makes the handshake so much faster. So, where are we on this?
p.s. this is from my server where Comodo / Sectigo SSL is used:
Code:
openssl s_client -connect xxxxxxxxx.com:443 -status -servername xxxxxxxxx.com
*snip*
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
*snip*
Cert Status: good
Thanks,
- Wallu