Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
litespeed_wiki:config:ocsp-stapling [2017/12/11 20:32]
Eric Leu [Method 1:]
litespeed_wiki:config:ocsp-stapling [2020/07/14 18:57] (current)
Jackson Zhang [For Plesk]
Line 22: Line 22:
  
 ==== For cPanel ==== ==== For cPanel ====
 +=== OCSP enabled by default on latest WHM/cPanel ===
 +The latest cpanel/WHM server has enable OCSP automatically at /​etc/​apache2/​conf/​httpd.conf hence you don't need to do any extra work on it.
  
 +    <​IfModule socache_shmcb_module>​
 +        SSLUseStapling On
 +        SSLStaplingCache shmcb:/​run/​apache2/​stapling_cache_shmcb(256000)
 +        # Prevent browsers from failing if an OCSP server is temporarily broken.
 +        SSLStaplingReturnResponderErrors off
 +        SSLStaplingErrorCacheTimeout 60
 +        SSLStaplingFakeTryLater off
 +        SSLStaplingResponderTimeout 3
 +        SSLSessionCache shmcb:/​run/​apache2/​ssl_gcache_data_shmcb(1024000)
 +    </​IfModule>​
 +
 +=== Earlier version of cPanel/WHM ===
 +For an earlier version of cPanel/WHM, you can manually add **SSLStaplingCache ** and **SSLUseStapling on** directives to apache configuration.
 + 
 Add the following lines to: Add the following lines to:
   - For EA3: ''/​usr/​local/​apache/​conf/​includes/​pre_main_global.conf''​   - For EA3: ''/​usr/​local/​apache/​conf/​includes/​pre_main_global.conf''​
Line 48: Line 64:
 Apply these changes to all Virtual Hosts by running the following command: Apply these changes to all Virtual Hosts by running the following command:
   /​scripts/​ensure_vhost_includes --all-users  ​   /​scripts/​ensure_vhost_includes --all-users  ​
-  ​+ 
 +==== For Plesk ==== 
 +Plesk server has not enabled OCSP by default yet and still [[https://​support.plesk.com/​hc/​en-us/​articles/​360033765213-How-to-enable-OCSP-Stapling-and-HSTS-for-Plesk-panel-|feature request]] stage at the time of this writing.  
 + 
 +As a workaround, create a file named ''​lsocsp.conf''​ in the following directory depending upon your system: 
 +  * For CentOS, the ''/​etc/​httpd/​conf.d/''​ directory 
 +  * For Debian, the ''/​etc/​apache2/​conf.d/''​ directory 
 +  * For Ubuntu, the ''/​etc/​apache2/​conf-enabled''​ directory 
 + 
 +This ''​lsocsp.conf''​ file should contain the following:​ 
 + 
 +<​code>​ 
 +  <​IfModule Litespeed>​ 
 +    SSLStaplingCache shmcb:/​var/​run/​ocsp(128000) 
 +    SSLUseStapling on 
 +  </​IfModule>​ 
 +</​code>​ 
 + 
 +Then restart LSWS.
 ===== Setup through LSWS native configuration for 4.2.x or 5.0.x ===== ===== Setup through LSWS native configuration for 4.2.x or 5.0.x =====
  
Line 83: Line 117:
 ===== Did it work? ===== ===== Did it work? =====
 ====Method 1:==== ====Method 1:====
-Check in ''​$SERVER_ROOT/​tmp/​ocspcache/''​. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong.+Check in ''/​dev/​shm/​lsws/​ocspcache/''​ for newer version or ''​$SERVER_ROOT/​tmp/​ocspcache/'' ​for earlier version. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong. 
 + 
 +  /​dev/​shm/​lsws/​ocspcache>​ls -alt | head; date 
 +  total 44 
 +  drwxr-x--- 4 nobody nobody 400 Jul 13 05:16 .. 
 +  drwx------ 2 nobody nobody 260 Jul 13 00:07 . 
 +  -rw------- 1 nobody nobody 472 Jul 13 00:07 Reacb027c3975b5e2d620bbb279008dad.rsp 
 +  -rw------- 1 nobody nobody 472 Jul 12 11:20 R46e10f27f45529e132faf1c78ff62725.rsp 
 +  -rw------- 1 nobody nobody 471 Jul 10 18:02 Re3a1d7181c38b68e517f80cbf4bd4e4e.rsp 
 +  -rw------- 1 nobody nobody 471 Jul 10 15:14 R053b55e8211ae3d02580bdd50b5b00b8.rsp 
 +  -rw------- 1 nobody nobody 471 Jul 10 14:09 Rf06839ee82080282fda44cd5633b3538.rsp 
 +  -rw------- 1 nobody nobody 471 Jul 10 13:33 Raf1ac6061835bfb1b4df9313b3b8e234.rsp 
 +  -rw------- 1 nobody nobody 472 Jul  8 14:58 R53fb6a7fcc1d8fd11c10a5b6c4ad15fc.rsp 
 +  Mon Jul 13 06:12:33 UTC 2020
  
 ====Method 2:==== ====Method 2:====
 Use the ''​openssl''​ command:  ​ Use the ''​openssl''​ command:  ​
-  openssl s_client -connect ​$Your_Domain:​443 -status+  openssl s_client -connect Your_Domain:​443 -status ​| grep "OCSP Response Status"​
 If OCSP stapling is working, it will show ''​ok''​. Then check OCSP Response Status: should be ''​successful''​ in OCSP Response Data section\\  ​ If OCSP stapling is working, it will show ''​ok''​. Then check OCSP Response Status: should be ''​successful''​ in OCSP Response Data section\\  ​
-{{:​litespeed_wiki:​config:​ocsp-2.png?​600|}} \\ 
  
 +For example:
 +  openssl s_client -connect litespeedtech.com:​443 -status | grep "OCSP Response Status"​
 +  depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
 +  verify return:1
 +  depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 +  verify return:1
 +  depth=0 CN = *.litespeedtech.com
 +  verify return:1
 +      OCSP Response Status: successful (0x0)
  
 ==== Method 3:==== ==== Method 3:====
-  - Open browser with URL ''​https://cryptoreport.rapidssl.com''​ +  - access ​https://www.ssllabs.com/​ssltest/​index.html 
-  - key in your domain ​then check **OCSP stapling** status+  - then search for "OCSP stapling"​. 
 +  
 +For example, ​  
 +  https://​www.ssllabs.com/​ssltest/​analyze.html?​d=litespeedtech.com 
 +  ​OCSP stapling ​  Yes
  
 ===== Cached OCSP response ===== ===== Cached OCSP response =====
  
 OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. ​ OCSP response is cached for 1-day. If you change your SSL certificate provider and see a cached OCSP response for a domain, you can safely remove the cache files under OCSP cache folder, but not the folder itself. ​
  • Admin
  • Last modified: 2017/12/11 20:32
  • by Eric Leu