Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
litespeed_wiki:config:ocsp-stapling [2020/07/14 18:15] Jackson Zhang [For cPanel] |
litespeed_wiki:config:ocsp-stapling [2023/02/09 19:42] Jackson Zhang |
||
---|---|---|---|
Line 22: | Line 22: | ||
==== For cPanel ==== | ==== For cPanel ==== | ||
+ | === OCSP enabled by default on latest WHM/cPanel === | ||
The latest cpanel/WHM server has enable OCSP automatically at /etc/apache2/conf/httpd.conf hence you don't need to do any extra work on it. | The latest cpanel/WHM server has enable OCSP automatically at /etc/apache2/conf/httpd.conf hence you don't need to do any extra work on it. | ||
Line 36: | Line 36: | ||
</IfModule> | </IfModule> | ||
+ | === Earlier version of cPanel/WHM === | ||
For an earlier version of cPanel/WHM, you can manually add **SSLStaplingCache ** and **SSLUseStapling on** directives to apache configuration. | For an earlier version of cPanel/WHM, you can manually add **SSLStaplingCache ** and **SSLUseStapling on** directives to apache configuration. | ||
Line 63: | Line 64: | ||
Apply these changes to all Virtual Hosts by running the following command: | Apply these changes to all Virtual Hosts by running the following command: | ||
/scripts/ensure_vhost_includes --all-users | /scripts/ensure_vhost_includes --all-users | ||
- | | + | |
+ | ==== For Plesk ==== | ||
+ | Plesk server has not enabled OCSP by default yet and still [[https://support.plesk.com/hc/en-us/articles/360033765213-How-to-enable-OCSP-Stapling-and-HSTS-for-Plesk-panel-|feature request]] stage at the time of this writing. | ||
+ | |||
+ | As a workaround, create a file named ''lsocsp.conf'' in the following directory depending upon your system: | ||
+ | * For CentOS, the ''/etc/httpd/conf.d/'' directory | ||
+ | * For Debian, the ''/etc/apache2/conf.d/'' directory | ||
+ | * For Ubuntu, Debian 11, the ''/etc/apache2/conf-enabled'' directory | ||
+ | |||
+ | This ''lsocsp.conf'' file should contain the following: | ||
+ | |||
+ | <code> | ||
+ | <IfModule Litespeed> | ||
+ | SSLStaplingCache shmcb:/var/run/ocsp(128000) | ||
+ | SSLUseStapling on | ||
+ | </IfModule> | ||
+ | </code> | ||
+ | |||
+ | Then restart LSWS. | ||
===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== | ===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== | ||
Line 98: | Line 117: | ||
===== Did it work? ===== | ===== Did it work? ===== | ||
====Method 1:==== | ====Method 1:==== | ||
- | Check in ''$SERVER_ROOT/tmp/ocspcache/''. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. | + | Check in ''/dev/shm/lsws/ocspcache/'' for newer version or ''$SERVER_ROOT/tmp/ocspcache/'' for earlier version. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. |
+ | |||
+ | /dev/shm/lsws/ocspcache>ls -alt | head; date | ||
+ | total 44 | ||
+ | drwxr-x--- 4 nobody nobody 400 Jul 13 05:16 .. | ||
+ | drwx------ 2 nobody nobody 260 Jul 13 00:07 . | ||
+ | -rw------- 1 nobody nobody 472 Jul 13 00:07 Reacb027c3975b5e2d620bbb279008dad.rsp | ||
+ | -rw------- 1 nobody nobody 472 Jul 12 11:20 R46e10f27f45529e132faf1c78ff62725.rsp | ||
+ | -rw------- 1 nobody nobody 471 Jul 10 18:02 Re3a1d7181c38b68e517f80cbf4bd4e4e.rsp | ||
+ | -rw------- 1 nobody nobody 471 Jul 10 15:14 R053b55e8211ae3d02580bdd50b5b00b8.rsp | ||
+ | -rw------- 1 nobody nobody 471 Jul 10 14:09 Rf06839ee82080282fda44cd5633b3538.rsp | ||
+ | -rw------- 1 nobody nobody 471 Jul 10 13:33 Raf1ac6061835bfb1b4df9313b3b8e234.rsp | ||
+ | -rw------- 1 nobody nobody 472 Jul 8 14:58 R53fb6a7fcc1d8fd11c10a5b6c4ad15fc.rsp | ||
+ | Mon Jul 13 06:12:33 UTC 2020 | ||
====Method 2:==== | ====Method 2:==== | ||
Use the ''openssl'' command: | Use the ''openssl'' command: | ||
- | openssl s_client -connect $Your_Domain:443 -status | + | openssl s_client -connect Your_Domain:443 -status | grep "OCSP Response Status" |
If OCSP stapling is working, it will show ''ok''. Then check OCSP Response Status: should be ''successful'' in OCSP Response Data section\\ | If OCSP stapling is working, it will show ''ok''. Then check OCSP Response Status: should be ''successful'' in OCSP Response Data section\\ | ||
- | {{:litespeed_wiki:config:ocsp-2.png?600|}} \\ | ||
+ | For example: | ||
+ | openssl s_client -connect litespeedtech.com:443 -status | grep "OCSP Response Status" | ||
+ | depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 | ||
+ | verify return:1 | ||
+ | depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 | ||
+ | verify return:1 | ||
+ | depth=0 CN = *.litespeedtech.com | ||
+ | verify return:1 | ||
+ | OCSP Response Status: successful (0x0) | ||
==== Method 3:==== | ==== Method 3:==== | ||
- | - Open browser with URL ''https://cryptoreport.rapidssl.com'' | + | - access https://www.ssllabs.com/ssltest/index.html |
- | - key in your domain then check **OCSP stapling** status | + | - then search for "OCSP stapling". |
+ | |||
+ | For example, | ||
+ | https://www.ssllabs.com/ssltest/analyze.html?d=litespeedtech.com | ||
+ | OCSP stapling Yes | ||
===== Cached OCSP response ===== | ===== Cached OCSP response ===== | ||
OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. | OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. |