Im running Buster / ISPConfig3.1.14p2 using Apache 2 as the web server. Ive got an odd issue currently - websites served as SSL have an initial delay of up to 10 seconds before actually loading the first time. Once loaded the client can browse with no further delays. This happens on *all* SSL sites but not the unencrypted. The remote browser just waits on "Establishing Secure Connection". No errors appear in apache logs at all or the sites. CPU load, ram usage etc is minimal. Certs are all LetsEncrypt generated from within ISPConfig and all check out as valid. What i have found is editing the Apache config and disabling OCSP stapling removes this delay completely but obviously this is a bit of a hack. Any idea where my config has gone wrong or whats causing this issue?
Hi There, absolutely same here...any idea please? Do you know how to troubleshoot this please? Thank you so much
Nobody seems to have an answer. It worked fine for me for a day or 2. Rebooted and hasn't worked since on that particular install. Another server its fine. The workaround ive found which "fixes" it is to disable ocspstapling in the virtualhost config for each website. Obviously thats a nasty hack and would need to be done for every newly created website but ive not found any other way of troubleshooting.
I don't have this issue on any of my servers and it must be quite uncommon if only two of several hundred thousand ISPConfig users encounter it. You can change the vhost master template in /usr/local/ispconfig/server/conf/ and comment it out there. then copy the modified template to /usr/local/ispconfig/server/conf-custom/ to make your change update safe.
Im sure its uncommon. Ive been running 2 ISPConfig servers for several years, have just upgraded them with a clean install and one has this issue (AFTER the first reboot post full install) and the other does not. Im not inclined to reinstall again as its all up, running, hosting and thats a lot more downtime and work than id like especially if theres no guarantee to fix the issue. Having nothing at all in the logs to even hint at an issue isnt helping so for now i need to disable. Thanks for the template location - i'll edit that now so i can at least not have the delay until the time i work out what the cause is (if ever).
Maybe it helps when you change the ocsp setup as described here and use a cache for ocsp responses? https://community.letsencrypt.org/t/robust-ocsp-stapling-with-apache-httpd/87896
Code: # cat /etc/apache2/conf-enabled/ssl-stapling.conf <IfModule mod_ssl.c> SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors Off SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)" SSLCACertificatePath /etc/ssl/certs/ # SSLCACertificateFILE /etc/ssl/certs/ca-certificates.crt </IfModule>
To highlight the issue here:- This is first run - 10 second wait on SSL connection Repeat runs: 0.2 seconds or so. Its 10300msec delay. That looks like some sort of 10 second timeout but i have no idea how to solve that. Debug logs show a cache miss initially (as expected for a first load)
Hello There, Anyone got a solution for the above issue. currently i am facing exactly the same problems on all ssl websites. unencrypted version of the websites is working properly.
One possibility is that host uses name server that answers very slowly or does not answer at all and host after timeout asks from other name server.
Today, all of a sudden everything is working like charm. Don't know what is the issue, nothing was done from my side. weird.