Hello, I have upgraded successfully to 3.1 from latest stable in Centos 7.2. I have also setup successfully Let's Encrypt certificates in multiple websites. I am though receiving (from Ossec) multiple logs like the following on a regular interval: [ssl:error] [pid 10581:tid 140716533569280] [client xxx:15483] AH01980: bad response from OCSP server: 502 Bad Gateway [ssl:error] [pid 10581:tid 140716533569280] AH01941: stapling_renew_response: responder error Any ideas how to proceed? Also is there any port we have to open for the OCSP in the firewall perhaps?
Your server must be able to contact the OCSP URI, which is probably just port 80 (run `openssl x509 -noout -ocsp_uri -in yourcert.pem` to see what the URI is). In a quick search, this page explains how to verify the cert against the OCSP gateway: https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
Thank you for the info. I have already open port 80 and the url is http://ocsp.int-x3.letsencrypt.org/ and works fine so it seems it is not related to that. I will keep monitoring this in case i find out more i ll re-post.
Make sure you have a full certificate chain in use, ie. all the intermediate certificates (I think the file is 'fullchain.pem' from letsencrypt, or separate 'cert.pem' and 'chain.pem'). That is an nginx error you posted, correct? OCSP is working in apache with the ispconfig configuration, but I don't have nginx installed to test.
Actually this is the latest apache not ngix forgot to mention... I have narrowed it down to the point that the error is displayed only when apache restarts. Perhaps sometimes is also thrown when someone is accessing the Web site too. Sure I will check about a full chain thank you.
The configuration ispconfig creates will point to the correct letsencrypt files, I have verified such sites at ssllabs.com and the OCSP checks are all good. But in checking the server config, I see that I actually setup ssl stapling manually, ispconfig does not do that for you; it includes some config inside the control panel vhost itself, but nothing is setup server-wide. Try: Code: cat > /etc/apache2/conf-available/ssl-stapling.conf <<EOF <IfModule mod_ssl.c> SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors Off SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)" SSLCACertificatePath /etc/ssl/certs/ # SSLCACertificateFILE /etc/ssl/certs/ca-certificates.crt </IfModule> EOF a2enconf ssl-stapling service apache2 restart
Hello i have good news! Since i am on centos i created the file ssl-stapling.conf on /etc/httpd/conf.d With the same content as yours ( i did not enable the bundle as well ) Code: <IfModule mod_ssl.c> SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors Off SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)" SSLCACertificatePath /etc/ssl/certs/ # SSLCACertificateFILE /etc/ssl/certs/ca-bundle.crt </IfModule> After several tests and Apache restarts there is no message displayed So it looks like ispconfig itself should have an ssl strapling config set.
