OCSP Stapling error

W

wanah

Well-Known Member
#1
#1
Hello,

After upgrading to LS 5.1 I've tried to enable OCSP Stapling on one of our cPanel servers.

To do this I've added /usr/local/apache/conf/userdata/ssl/enable_stapling.conf that contains
SSLUseStapling on

And I've added to
/usr/local/apache/conf/includes/pre_main_global.conf :

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

However when I restart Litespeed I get :

[ERROR] [SSL] OCSP Stapling can't be enabled [Failed to get responder!].

I guess I'm missing something, maybe a specific outgoing port needs to be opened or another configuration option needs to be set ?
 
W

wanah

Well-Known Member
#3
#3
Long said:
Hi, Wanah,

How did you set the OCSP Responder?
If you don't add the OCSP support through httpd conf file but from WebAdmin, does it work as expected?

Maybe you can refer to this wiki to see whether there is anything missing.
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:ocsp-stapling
Click to expand...
Your wiki doesn't explain how to do this via httpd.conf. This is a production cPanel server, I'm not sure about playing with the webadmin for this as I don't want to take risks for production websites.

How am I supposed to set up OCSP Responder ?

Reading your wiki about seting it up with LS web admin, it seems that I have to manually configure the OSCP Responder URL, if this is the case, then I presume it's not compatible with shared hosting as on shared hosting customers can install certs from all registrars, so unless the responder URL detection is automatic I don't see how this can be made to work.

None of the tutorials I've found for apache mention having to set up a responder, they just say to add :

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

before the vhosts and

SSLUseStapling on

inside the vhosts.

Because of this I presumed it was compatible with shared hosting.

Regards,

Richard Hordern
 
W

wanah

Well-Known Member
#5
#5
It says :
This option sets the default OCSP responder to use. If SSLOCSPOverrideResponder is not enabled, the URI given will be used only if no responder URI is specified in the certificate being verified.

So I presume this means OSCP sould work for any certs that have a URL in the certificate.

Does LiteSpeed automaticaly check the certificates for responder URL's like Apache does ?
The error I got seemed to indicated that LiteSpeed disabled Stampling globaly, however each vhost could have a URI so Stampling should only be disabled for vhosts that don't have a valide URI in their certificate.
 
W

wanah

Well-Known Member
#6
#6
I've just tested the certificate I was testing OCSP on and it contains :
Code: 
            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
 
M

mistwang

LiteSpeed Staff
#8
#8
if the certification has an OCSP uri, then server will use it automatically, if not, it will use the default URL.
Looks like server cannot locate the OCSP uri from the certification.
Do you know which certification? have you verify it manually?
https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html

If it can be manually verified, please send us the certification and CA chain file, we will do more testing.
 
You must log in or register to reply here.
Top