Hello, thanks to Tom, who informed me offlist about this. It seems that problem was triggered by some kind of maintenance. https://sectigo.status.io/pages/history/5938a0dbef3e6af26b001921# Currently it is working again for us. Such unexpected problems with ocsp-urls are really annying for visitors and admins, only possibility is to deactivate ssl-stapling. We had really slow webpages and also complete page load errors. Is it possible to change the way the validation-process is included into request-process? delivery speed of website should not be affected by ocsp problems. Tom an I would be happy to have a fix in this case ;) Thanks, Hajo Am 25.04.2019 um 11:43 schrieb Hajo Locke:
Hello, Am 25.04.2019 um 09:51 schrieb Stefan Eissing:Am 24.04.2019 um 16:22 schrieb Hajo Locke <Hajo.Locke@xxxxxx>: Hello List, Apache is 2.4.39, System is Ubuntu 18.04 and 16.04 since yesterday evening we have massive mod_ssl problems with ssl stapling: Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094] AH01941: stapling_renew_response: responder error We had complaints about slow webpages, this forced us to deactivate stapling on all our servers.Sorry to hear that.Affected are certificates of sectigo (previously comodo) with ocsp-url http://ocsp.sectigo.com I cant confirm for other providers, we use comodo/sectigo the most. But it seems there is no basic problem on our system/network because i can manually confirm ocsp status with openssl on affected machines: # openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com WARNING: no nonce in response Response verify OK crt: good This Update: Apr 22 12:46:48 2019 GMT Next Update: Apr 26 12:46:48 2019 GMT I try to figure out on which side problem is. We use basic sslstapling directives in /etc/apache2/mods-enabled/ssl.conf this is unchanged for months SSLUseStapling On SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000) SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off Is there somebody who can confirm this behaviour and explain what happens?AFIK, there have been no (intentional) changes regarding OCSP stapling in recent versions. Are you doing the openssl test on the same machine that the affected servers run?Yes, same server. Apachelog produces the stapling errors, manually confirmation with openssl works. Today it seems the problems are over, but we are afraid of reenabling it. Main problem vor websiteowner/visitors is a significat noticable delay when requesting a site. I think the ocsp stapling process is included in requestprocess and lags the whole process if ocsp url is not acting like expected. Unfortunately i have no technical contact at sectigo who could reestablish my trust into ssl-stapling.- Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxxThanks, Hajo --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|