logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Failing LetsEncrypt OSCP staple blocks httpd server
Author
PhxChris



Joined: 03 Mar 2014
Posts: 2
Location: US, Phoenix

PostPosted: Mon 04 Mar '19 22:28    Post subject: Failing LetsEncrypt OSCP staple blocks httpd server Reply with quote

As has been noted, Apache's OSCP stapling is not the most robust. I've posted this issue to both Apache (bug 63231) and LetsEncrypt. Wanted to run it by here in case anyone has any suggestions.

Have an Apache web server running at an IBM Softlayer server farm in Dallas. Evey so often, the Apache hpptd child process restarts (as it should) then stops responding to all page requests when it cannot access OSCP stapling.

The latest was this morning (all times MST) between 2:31 am and 3:01 am. Here's a sample from the log file...

[Mon Mar 04 02:31:15.367980 2019] [mpm_winnt:notice] [pid 18232:tid 532] AH00418: Parent: Created child process 18324
[Mon Mar 04 02:31:32.649236 2019] [mpm_winnt:notice] [pid 18324:tid 3236] AH00354: Child: Starting 1024 worker threads.
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : [client 207.46.13.24:5884] AH01977: failed reading line from OCSP server
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] [client 207.46.13.24:5884] AH01980: bad response from OCSP server: (none)
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] AH01941: stapling_renew_response: responder error

The 3 [ssl:error] lines keep repeating over and over (I have over 40 sites hosted on my server including lodesys.com and k12irc.org).

Apache is restarted automatically every 5 minutes when not responding. The errors persisted until 3:01 am when the OSCP server appears to have started responding again and no more problems.

Here's my Apache config lines...

SSLUseStapling on
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off

SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(128000)"
SSLStaplingStandardCacheTimeout 86400

SSLSessionCache "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300


This issue has happened intermittently over the last week or two. I am looking at the option of just turning off SSLUseStapling as I need the sites up and running 24/7.

Any ideas would be appreciated.
Back to top
PhxChris



Joined: 03 Mar 2014
Posts: 2
Location: US, Phoenix

PostPosted: Sun 10 Mar '19 3:27    Post subject: Follow up info Reply with quote

Saw that Apache was terminating when encountering this error, stopping the httpd Apache 2.4 service.

Turning SSLUseStapling off "solved" the problem and Apache is again stable. Obviously, not the preferred solution.

No response so far to the Apache bug report: https://bz.apache.org/bugzilla/show_bug.cgi?id=63231
Back to top


Reply to topic   Topic: Failing LetsEncrypt OSCP staple blocks httpd server View previous topic :: View next topic
Post new topic   Forum Index -> Apache