The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL stapling issue

Discussion in 'General Discussion' started by postcd, Sep 23, 2015.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    Hello,

    i would like to ask for help in this.

    Im hosting an https:// website on WHM server and recently i installed SSL certifficate from CA based in China. Someone adviced that people enable "SSL stapling" on servers in order to cache SSL so it do not need to connect into china and possibly timeout. (i understood that this way) but i did nothing.

    Today i received several times this error in Firefox, page failed to load:
    "sec_error_ocsp_try_server_later"

    I wanted to ask how to disable/enable this SSL stapling on WHM server please? Is it enabled or disabled by default and which state would prevent above error/issue please? Can i check the stapling status on the server?

    PHP Version 5.4.42
    OpenSSL 1.0.1e-fips 11 Feb 2013
    WHM 11.50

    If i have Apache 2.2, i assume per this apache page that i wont be able to use stapling resulting in these oscp errors (using Firefox 40.0.3)?


    Here is an tutorial where he advice to add this line: "SSLUseStapling off"
    into Apache include file, i added that line into pre virtualhost include and httpd failed to start with error:
    Invalid command 'SSLUseStapling'
     
    #1 postcd, Sep 23, 2015
    Last edited: Sep 23, 2015
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I think SSLUseStapling is enable on your through httpd.conf file. Can you please check your main httpd.conf file and try to disable
    SSLUseStapling.
     
  3. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    Yes, it appears it is enabled:

    # grep SSLUseStapling /etc/httpd/conf/httpd.conf
    SSLUseStapling on

    Server version: Apache/2.4.12 (Unix)

    But how disabling it should help, why?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's possible the CA being served by the server is not matching during the OCSP step with the browser. You may want to check with the issuing authority of the certificate, to determine if updated CA Bundles are available. If they are, then re-installing the certificate on the domain may help alleviate this without having to resort to disabling the SSL Use Stapling function. You may also want to temporarily disable your server's firewall as one of the IP addresses for the CA might be getting blocked by the firewall.

    Thank you.
     
Loading...

Share This Page