Apache causing SSL delays - OCSP Stapling?

Discussion in 'Installation/Configuration' started by WhitcombeRD, Aug 15, 2019.

  1. WhitcombeRD

    WhitcombeRD Member

    Im running Buster / ISPConfig3.1.14p2 using Apache 2 as the web server.

    Ive got an odd issue currently - websites served as SSL have an initial delay of up to 10 seconds before actually loading the first time. Once loaded the client can browse with no further delays. This happens on *all* SSL sites but not the unencrypted.

    The remote browser just waits on "Establishing Secure Connection". No errors appear in apache logs at all or the sites.
    CPU load, ram usage etc is minimal.
    Certs are all LetsEncrypt generated from within ISPConfig and all check out as valid.
    What i have found is editing the Apache config and disabling OCSP stapling removes this delay completely but obviously this is a bit of a hack.
    Any idea where my config has gone wrong or whats causing this issue?
     
  2. jendab

    jendab New Member

    Hi There, absolutely same here...any idea please? Do you know how to troubleshoot this please? Thank you so much
     
  3. WhitcombeRD

    WhitcombeRD Member

    Nobody seems to have an answer. It worked fine for me for a day or 2. Rebooted and hasn't worked since on that particular install.
    Another server its fine.
    The workaround ive found which "fixes" it is to disable ocspstapling in the virtualhost config for each website.
    Obviously thats a nasty hack and would need to be done for every newly created website but ive not found any other way of troubleshooting.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't have this issue on any of my servers and it must be quite uncommon if only two of several hundred thousand ISPConfig users encounter it. You can change the vhost master template in /usr/local/ispconfig/server/conf/ and comment it out there. then copy the modified template to /usr/local/ispconfig/server/conf-custom/ to make your change update safe.
     
  5. WhitcombeRD

    WhitcombeRD Member

    Im sure its uncommon. Ive been running 2 ISPConfig servers for several years, have just upgraded them with a clean install and one has this issue (AFTER the first reboot post full install) and the other does not.
    Im not inclined to reinstall again as its all up, running, hosting and thats a lot more downtime and work than id like especially if theres no guarantee to fix the issue.
    Having nothing at all in the logs to even hint at an issue isnt helping so for now i need to disable.
    Thanks for the template location - i'll edit that now so i can at least not have the delay until the time i work out what the cause is (if ever).
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    ahrasis likes this.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Code:
    # cat /etc/apache2/conf-enabled/ssl-stapling.conf 
    <IfModule mod_ssl.c>
        SSLUseStapling On
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors Off
        SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)"
    
        SSLCACertificatePath /etc/ssl/certs/
    #    SSLCACertificateFILE /etc/ssl/certs/ca-certificates.crt
    </IfModule>
    
     
    ahrasis likes this.
  8. WhitcombeRD

    WhitcombeRD Member

    To highlight the issue here:-
    staple1.PNG
    This is first run - 10 second wait on SSL connection

    Repeat runs:
    staple2.PNG
    0.2 seconds or so.

    Its 10300msec delay. That looks like some sort of 10 second timeout but i have no idea how to solve that.
    Debug logs show a cache miss initially (as expected for a first load)
     
  9. hadizeid

    hadizeid Member

    Hello There,
    Anyone got a solution for the above issue.
    currently i am facing exactly the same problems on all ssl websites. unencrypted version of the websites is working properly.
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    One possibility is that host uses name server that answers very slowly or does not answer at all and host after timeout asks from other name server.
     
  11. hadizeid

    hadizeid Member

    Today, all of a sudden everything is working like charm.
    Don't know what is the issue, nothing was done from my side.
    weird.
     

Share This Page