Hello, I moved my server from ubuntu 14.04 to 20.04 with the migration utility. Everything is fine, everything works. But some websites take about 6-7 seconds to load the first time. nothing happens during this time. No load on the server or the client. when the start page is loaded, everything is normally fast. the ISPConfig panel is very slow after login. the spinning circle is visible for a very long time. other pages (even wordpress pages) are very fast. Could it be a DNS problem? I have entered 127.0.0.1 as DNS for the local and the WAN interface in Netzplan. There is a BIND running on this server. /etc/resolv.conf: nameserver 127.0.0.53 options edns0 trust-ad Can anyone help me? Bye chico
Open the developer tools of your browser and see what is happening. Or share one of the problematic domains so we can check.
php.ini: opcache.enable=1 output_buffering=Off session.cookie_httponly = 1 session.cookie_secure = 1 max_input_vars = 3000 max_post_size = 3000 post_max_size = 1024M upload_max_filesize = 1024M memory_limit = 256M safe_mode = Off max_execution_time = 7200 max_input_time = 7200 magic_quotes_gpc = Off file_uploads = Yes max_file_uploads = 200 that's all.
nope. after reboot the problem occurs again. (And when i use different browser. OS where the browser runs is Mac OSX 10.15) in /var/log/apache2/error.log i get a lot of [Sun Apr 18 02:09:32.748255 2021] [ssl:error] [pid 1346] AH01941: stapling_renew_response: responder error [Sun Apr 18 02:09:37.810395 2021] [ssl:error] [pid 3615] (70007)The timeout specified has expired: [client XXX.XXX.XXX.XXX:41895] AH01985: error reading response from OCSP server XXX.XXX.XXX.XXX ist my router IP from where I browse. Perhaps a hint?
I could have sworn I already replied to this but it must have been lost. Try setting your providers nameservers in /etc/resolv.conf, or some public nameservers like Google's 8.8.8.8 / 8.8.4.4.
do you mean /etc/resolv.conf or /etc/systemd/resolved.conf? the first one was resetted after reboot to 127.0.0.53 the ubuntu 20.04 is running Netplan from the beginning. I installed it with this tutorial: https://www.howtoforge.com/tutorial/ubuntu-lts-minimal-server/ I have a LAN and WAN NIC. It is a virtual server on virtual box. The NICs are bridged adapters. Here is the yaml file: Code: # This is the network config written by 'subiquity' network: version: 2 renderer: networkd ethernets: enp0s17: dhcp4: no dhcp6: no addresses: - 192.168.1.28/24 nameservers: addresses: - 8.8.8.8 - 8.8.4.4 enp0s8: addresses: - Y.Y.Y.Y (external IP) gateway4: X.X.X.X (external Gateway IP) nameservers: addresses: - 8.8.8.8 - 8.8.4.4 I installed the ISPConfig setup with https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ I used the paid migration utility from ISPConfig to migrate from ubuntu 14.04 ISPConfig 3.1.5 to ubuntu 20.04/ISPconfig 3.2.4 Testing the site with chrome developer tools shows the ssl handshake delay. An interesting part is that the certificates from before migrating have issues but the handshake is fast: https://www.ssllabs.com/ssltest/analyze.html?d=lesenmitlinks.de&hideResults=on and the new generated after the migration have no issues but the handshake is slow: https://www.ssllabs.com/ssltest/analyze.html?d=webshop.pixelbunker.de&hideResults=on&latest
after changing the DNS Servers in the yaml file and then sudo netplan --debug generate sudo netplan apply the problem still exists. I cannot figure out why.
for testing i setup a brand new ubuntu 20-ispconfig server with the OVA Image from howtoforge on a VMWaere esxi server. I splitted the yaml file in two (one for each interface). the testserver-SSL-Site is https://server40.pixelbunker.de. This is the only site on this server. The output of ping r3.o.lencr.org right after rebooting is: Code: PING a1887.dscq.akamai.net (2.21.228.179) 56(84) bytes of data. 64 bytes from a2-21-228-179.deploy.static.akamaitechnologies.com (2.21.228.179): icmp_seq=1 ttl=56 time=16.1 ms 64 bytes from a2-21-228-179.deploy.static.akamaitechnologies.com (2.21.228.179): icmp_seq=2 ttl=56 time=17.0 ms 64 bytes from a2-21-228-179.deploy.static.akamaitechnologies.com (2.21.228.179): icmp_seq=3 ttl=56 time=17.8 ms 64 bytes from a2-21-228-179.deploy.static.akamaitechnologies.com (2.21.228.179): icmp_seq=4 ttl=56 time=17.6 ms It has the same slow initial bevahiour than the others mentioned above.. Also i managed to change the dns servers in /etc/resolv.conf with the tutorial in this link: https://www.tecmint.com/set-permanent-dns-nameservers-in-ubuntu-debian/ Now the Output of /etc/resolv.conf is: Code: # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # 127.0.0.53 is the systemd-resolved stub resolver. # run "systemd-resolve --status" to see details about the actual nameservers. nameserver 8.8.8.8 nameserver 8.8.4.4 nameserver 127.0.0.53 this is not improving anything.
Update: I can reduce the timeout from 5sec. to 1 sec. with setting SSLStaplingResponderTimeout in /usr/local/ispconfig/server/conf/vhost.conf.master to 1 but i think that is just a workaround and i don't want to change anything without knowing what i am doing Perhaps there is a person who can figure this problem out with the information above. that would be great...
The server is selfhosted. after curl -v http://r3.o.lencr.org/ I got this Code: * Trying 2.21.228.184:80... * TCP_NODELAY set * Connected to r3.o.lencr.org (2.21.228.184) port 80 (#0) > GET / HTTP/1.1 > Host: r3.o.lencr.org > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Server: nginx < Content-Length: 0 < Cache-Control: max-age=35545 < Expires: Tue, 20 Apr 2021 04:36:53 GMT < Date: Mon, 19 Apr 2021 18:44:28 GMT < Connection: keep-alive < * Connection #0 to host r3.o.lencr.org left intact In the /etc/apache2/error.log I got this: Code: [Mon Apr 19 18:51:42.412359 2021] [ssl:error] [pid 8546] (70007)The timeout specified has expired: [client 192.168.1.200:54172] AH01985: error reading response from OCSP server [Mon Apr 19 18:51:42.430488 2021] [ssl:error] [pid 8546] AH01941: stapling_renew_response: responder error [Mon Apr 19 18:51:47.511636 2021] [ssl:error] [pid 8547] (70007)The timeout specified has expired: [client 192.168.1.200:54171] AH01985: error reading response from OCSP server [Mon Apr 19 18:51:47.511709 2021] [ssl:error] [pid 8547] AH01941: stapling_renew_response: responder error I followed your advice and have done the test of frankfoerster.com. After openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://r3.o.lencr.org in my letsencrypt live folder of the domain I got: Code: OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4 Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6 Serial Number: 03D115937B8CF77066C7A4DF1F8D758E6DED Request Extensions: OCSP Nonce: 04107826CF80FE69BC36F2D0617A24408878 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = R3 Produced At: Apr 19 12:59:00 2021 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4 Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6 Serial Number: 03D115937B8CF77066C7A4DF1F8D758E6DED Cert Status: good This Update: Apr 19 12:00:00 2021 GMT Next Update: Apr 26 12:00:00 2021 GMT Signature Algorithm: sha256WithRSAEncryption 74:d2:7f:76:ea:80:47:1f:27:4e:8d:88:fa:d0:d1:ec:4a:77: 9a:15:1b:e0:67:67:e3:39:9c:c6:dc:2e:c8:84:02:09:83:29: 87:42:7b:6f:33:4b:54:9b:71:22:8d:65:94:0c:da:6f:ad:d3: 40:6d:53:cd:1d:8c:de:3e:9e:91:bc:87:5e:cf:02:54:91:76: 28:05:90:40:c5:1a:4d:ea:73:c9:3d:6b:7c:c2:ce:cc:fd:e3: ce:eb:f7:7e:c4:4a:21:3a:ad:b1:45:58:47:62:06:89:16:2b: 4f:03:7f:b9:36:7c:d9:e0:aa:71:61:d6:38:35:e4:42:81:e7: e8:6c:95:5f:74:f0:63:79:d5:8c:01:d0:09:da:55:60:50:4a: 55:ee:78:80:ea:5f:8d:02:9d:06:7e:8c:4f:74:b2:bd:88:95: 16:60:1c:58:d6:16:8d:c9:05:90:b0:cc:dd:51:32:60:8f:3f: a3:5d:ff:d9:65:a7:17:df:8f:8c:da:41:26:3e:3a:2d:57:fa: 4a:e1:6c:06:9c:86:13:b7:1e:90:4d:dd:42:5d:2f:c5:0c:8a: 47:0a:3f:b3:9b:9c:2a:a9:05:07:42:9c:24:c2:8e:e4:db:91: 05:68:26:6c:05:17:1a:b2:f8:9b:8a:12:32:1d:02:72:b3:00: 78:6d:5b:cf WARNING: no nonce in response Response verify OK cert.pem: good This Update: Apr 19 12:00:00 2021 GMT Next Update: Apr 26 12:00:00 2021 GMT I am now completely at a loss. As I said, it's an OVA image right here from howtoforge. No changes. One LAN Network adapter, one WAN network adapter. The yaml files are: 10-localnet-ens33.yaml Code: network: version: 2 renderer: networkd ethernets: ens33: dhcp4: no dhcp6: no addresses: [192.168.1.100/24] nameservers: addresses: [8.8.8.8,8.8.4.4] 20-wan-ens160.yaml Code: network: version: 2 renderer: networkd ethernets: ens160: dhcp4: no dhcp6: no addresses: [XX.XX.XX.XX/XX] gateway4: YY.YY.YY.YY nameservers: addresses: [8.8.8.8,8.8.4.4]
Sorry for my late reply. From my testing, all seems to be working currently: https://www.ssllabs.com/ssltest/analyze.html?d=webshop.pixelbunker.de
Nope. I just put the timeout to 0.5 seconds and the cache time to 86400. When I put timeout = 100 in the .vhost file the website is unreachable. Sometimes the OCSP Check from Qualys (Revocation Status and OCSP stapling test) works and sometimes not. That depends on Qualys infrastructure, and is not in hand of the tested server. I can ping / dig / wget etc. the r3.o.lencr.org without problems from the terminal. Code: # dig +trace r3.o.lencr.org ; <<>> DiG 9.16.1-Ubuntu <<>> +trace r3.o.lencr.org ;; global options: +cmd . 6657 IN NS l.root-servers.net. . 6657 IN NS k.root-servers.net. . 6657 IN NS j.root-servers.net. . 6657 IN NS i.root-servers.net. . 6657 IN NS a.root-servers.net. . 6657 IN NS h.root-servers.net. . 6657 IN NS g.root-servers.net. . 6657 IN NS f.root-servers.net. . 6657 IN NS e.root-servers.net. . 6657 IN NS d.root-servers.net. . 6657 IN NS c.root-servers.net. . 6657 IN NS b.root-servers.net. . 6657 IN NS m.root-servers.net. ;; Received 262 bytes from 127.0.0.53#53(127.0.0.53) in 0 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 86400 IN DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32 org. 86400 IN RRSIG DS 8 1 86400 20210505050000 20210422040000 14631 . evq5YkCb288xJL7sFAHgwWsSNbXtoysP8RddMYLaNas9WjAy7R6bPMro 0MDGWacjOBE+lwQ2kZWUtQmZ4rOiskpbnj5qVjfz+tRE8kKPSmgBFmUF tpNAwgvFuf4iBaC69L6zFnDsn823eNs6jVAi8aVXOAXdA770wEIF+eMz vJpbVb1kmcdCqEz/dS6jmvCRHaf8vcyKg5FEmZSurvsrzFAtYL3eZFC1 moHDvygfRPj582IP5b3xjb6rUst222TwPYvN7H3kqkqlgV98kDEwxfKm TgIuhK/o0AbAVijGvAysU+a8YpeZHwg3TrMWO48+pJlx8PBzdfvoZ6zz 3OApfg== ;; Received 780 bytes from 198.97.190.53#53(h.root-servers.net) in 28 ms lencr.org. 86400 IN NS owen.ns.cloudflare.com. lencr.org. 86400 IN NS vera.ns.cloudflare.com. d6n22mffurrkkhup4jscmntse266m0lq.org. 86400 IN NSEC3 1 1 100 332539EE7F95C32A D6N6GR81BV9D3CE1VSG6FN5BAU7UB671 NS SOA RRSIG DNSKEY NSEC3PARAM h2jg5l9o22o2nct0l8nomqtp76tmbc5m.org. 86400 IN NSEC3 1 1 100 332539EE7F95C32A H2JNCC39JAN839KCFU4ROU2L2N0R30MM NS DS RRSIG d6n22mffurrkkhup4jscmntse266m0lq.org. 86400 IN RRSIG NSEC3 8 2 86400 20210513075131 20210422065131 27558 org. FssOFNoansk+bwoVy0ZURdlwKKaFrSk1RLRIw9Y/0Um47flg0Z9MMVdq jw80InDqKjIQSdqCgNg7Ru3nvVvyJiMK+gjHUMeoVGHuzqtIiszVulkn vwT578whKag+0dst3t+f7OzeesIpblgWzUfxMMo0Ko+RgqA5khaeww4o acw= h2jg5l9o22o2nct0l8nomqtp76tmbc5m.org. 86400 IN RRSIG NSEC3 8 2 86400 20210508153229 20210417143229 27558 org. f2MpjK6+kIJTNhEsTZT+PEFbwEKFRi+qx7trSfYN1QSylroreryw4cPQ MtAVyU1C8z7lBXFQSGGialSFJQDxz9qjdYvUSmjUVZR5OnipM4SCzpW3 HTdvVTPJn6tnrNcBM/mzK5q/I0HSsaDYgLMvDA/L9K+mMHr1ywj1ilAj 3fQ= ;; Received 599 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 36 ms r3.o.lencr.org. 120 IN CNAME o.lencr.edgesuite.net. ;; Received 78 bytes from 173.245.59.219#53(owen.ns.cloudflare.com) in 28 ms