Some Websites and ISPconfig slow at 1st start

Hello,
I moved my server from ubuntu 14.04 to 20.04 with the migration utility. Everything is fine, everything works. But some websites take about 6-7 seconds to load the first time. nothing happens during this time. No load on the server or the client. when the start page is loaded, everything is normally fast. the ISPConfig panel is very slow after login. the spinning circle is visible for a very long time.
other pages (even wordpress pages) are very fast.
Could it be a DNS problem? I have entered 127.0.0.1 as DNS for the local and the WAN interface in Netzplan. There is a BIND running on this server.

/etc/resolv.conf:
nameserver 127.0.0.53
options edns0 trust-ad


Can anyone help me?

Bye
chico

 

https://webshop.pixelbunker.de

thank you very much.

 

php.ini:
opcache.enable=1
output_buffering=Off
session.cookie_httponly = 1
session.cookie_secure = 1
max_input_vars = 3000
max_post_size = 3000
post_max_size = 1024M
upload_max_filesize = 1024M
memory_limit = 256M
safe_mode = Off
max_execution_time = 7200
max_input_time = 7200
magic_quotes_gpc = Off
file_uploads = Yes
max_file_uploads = 200

that's all.

 

nope. after reboot the problem occurs again. (And when i use different browser. OS where the browser runs is Mac OSX 10.15)

in /var/log/apache2/error.log i get a lot of
[Sun Apr 18 02:09:32.748255 2021] [ssl:error] [pid 1346] AH01941: stapling_renew_response: responder error
[Sun Apr 18 02:09:37.810395 2021] [ssl:error] [pid 3615] (70007)The timeout specified has expired: [client XXX.XXX.XXX.XXX:41895] AH01985: error reading response from OCSP server

XXX.XXX.XXX.XXX ist my router IP from where I browse.
Perhaps a hint?

 

how can I do that in Ubuntu 20?
/etc/resolv.conf:

 

do you mean /etc/resolv.conf or /etc/systemd/resolved.conf?
the first one was resetted after reboot to 127.0.0.53
the ubuntu 20.04 is running Netplan from the beginning. I installed it with this tutorial: https://www.howtoforge.com/tutorial/ubuntu-lts-minimal-server/
I have a LAN and WAN NIC. It is a virtual server on virtual box. The NICs are bridged adapters. Here is the yaml file:

Code:

# This is the network config written by 'subiquity'
network:
  version: 2
  renderer: networkd
  ethernets:
    enp0s17:
      dhcp4: no
      dhcp6: no
      addresses:
      - 192.168.1.28/24
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
    enp0s8:
      addresses:
      - Y.Y.Y.Y (external IP)
      gateway4: X.X.X.X (external Gateway IP)
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4

I installed the ISPConfig setup with https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/
I used the paid migration utility from ISPConfig to migrate from ubuntu 14.04 ISPConfig 3.1.5 to ubuntu 20.04/ISPconfig 3.2.4
Testing the site with chrome developer tools shows the ssl handshake delay.

An interesting part is that the certificates from before migrating have issues but the handshake is fast:
https://www.ssllabs.com/ssltest/analyze.html?d=lesenmitlinks.de&hideResults=on
and the new generated after the migration have no issues but the handshake is slow:
https://www.ssllabs.com/ssltest/analyze.html?d=webshop.pixelbunker.de&hideResults=on&latest

 

after changing the DNS Servers in the yaml file and then
sudo netplan --debug generate
sudo netplan apply
the problem still exists. I cannot figure out why.

 

for testing i setup a brand new ubuntu 20-ispconfig server with the OVA Image from howtoforge on a VMWaere esxi server.
I splitted the yaml file in two (one for each interface).
the testserver-SSL-Site is https://server40.pixelbunker.de. This is the only site on this server.
The output of ping r3.o.lencr.org right after rebooting is:

Code:

PING a1887.dscq.akamai.net (2.21.228.179) 56(84) bytes of data.
64 bytes from a2-21-228-179.deploy.static.akamaitechnologies.com (2.21.228.179): icmp_seq=1 ttl=56 time=16.1 ms
64 bytes from a2-21-228-179.deploy.static.akamaitechnologies.com (2.21.228.179): icmp_seq=2 ttl=56 time=17.0 ms
64 bytes from a2-21-228-179.deploy.static.akamaitechnologies.com (2.21.228.179): icmp_seq=3 ttl=56 time=17.8 ms
64 bytes from a2-21-228-179.deploy.static.akamaitechnologies.com (2.21.228.179): icmp_seq=4 ttl=56 time=17.6 ms

It has the same slow initial bevahiour than the others mentioned above..

Also i managed to change the dns servers in /etc/resolv.conf with the tutorial in this link:
https://www.tecmint.com/set-permanent-dns-nameservers-in-ubuntu-debian/

Now the Output of /etc/resolv.conf is:

Code:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 127.0.0.53

this is not improving anything.

 

Update:
I can reduce the timeout from 5sec. to 1 sec. with setting SSLStaplingResponderTimeout in /usr/local/ispconfig/server/conf/vhost.conf.master to 1
but i think that is just a workaround and i don't want to change anything without knowing what i am doing

Perhaps there is a person who can figure this problem out with the information above. that would be great...

 

The server is selfhosted.
after curl -v http://r3.o.lencr.org/
I got this

Code:

*   Trying 2.21.228.184:80...
* TCP_NODELAY set
* Connected to r3.o.lencr.org (2.21.228.184) port 80 (#0)
> GET / HTTP/1.1
> Host: r3.o.lencr.org
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Content-Length: 0
< Cache-Control: max-age=35545
< Expires: Tue, 20 Apr 2021 04:36:53 GMT
< Date: Mon, 19 Apr 2021 18:44:28 GMT
< Connection: keep-alive
<
* Connection #0 to host r3.o.lencr.org left intact

In the /etc/apache2/error.log I got this:

Code:

[Mon Apr 19 18:51:42.412359 2021] [ssl:error] [pid 8546] (70007)The timeout specified has expired: [client 192.168.1.200:54172] AH01985: error reading response from OCSP server
[Mon Apr 19 18:51:42.430488 2021] [ssl:error] [pid 8546] AH01941: stapling_renew_response: responder error
[Mon Apr 19 18:51:47.511636 2021] [ssl:error] [pid 8547] (70007)The timeout specified has expired: [client 192.168.1.200:54171] AH01985: error reading response from OCSP server
[Mon Apr 19 18:51:47.511709 2021] [ssl:error] [pid 8547] AH01941: stapling_renew_response: responder error

I followed your advice and have done the test of frankfoerster.com.
After
openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://r3.o.lencr.org in my letsencrypt live folder of the domain I got:

Code:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
          Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
          Serial Number: 03D115937B8CF77066C7A4DF1F8D758E6DED
    Request Extensions:
        OCSP Nonce:
            04107826CF80FE69BC36F2D0617A24408878
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = R3
    Produced At: Apr 19 12:59:00 2021 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
      Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
      Serial Number: 03D115937B8CF77066C7A4DF1F8D758E6DED
    Cert Status: good
    This Update: Apr 19 12:00:00 2021 GMT
    Next Update: Apr 26 12:00:00 2021 GMT

    Signature Algorithm: sha256WithRSAEncryption
         74:d2:7f:76:ea:80:47:1f:27:4e:8d:88:fa:d0:d1:ec:4a:77:
         9a:15:1b:e0:67:67:e3:39:9c:c6:dc:2e:c8:84:02:09:83:29:
         87:42:7b:6f:33:4b:54:9b:71:22:8d:65:94:0c:da:6f:ad:d3:
         40:6d:53:cd:1d:8c:de:3e:9e:91:bc:87:5e:cf:02:54:91:76:
         28:05:90:40:c5:1a:4d:ea:73:c9:3d:6b:7c:c2:ce:cc:fd:e3:
         ce:eb:f7:7e:c4:4a:21:3a:ad:b1:45:58:47:62:06:89:16:2b:
         4f:03:7f:b9:36:7c:d9:e0:aa:71:61:d6:38:35:e4:42:81:e7:
         e8:6c:95:5f:74:f0:63:79:d5:8c:01:d0:09:da:55:60:50:4a:
         55:ee:78:80:ea:5f:8d:02:9d:06:7e:8c:4f:74:b2:bd:88:95:
         16:60:1c:58:d6:16:8d:c9:05:90:b0:cc:dd:51:32:60:8f:3f:
         a3:5d:ff:d9:65:a7:17:df:8f:8c:da:41:26:3e:3a:2d:57:fa:
         4a:e1:6c:06:9c:86:13:b7:1e:90:4d:dd:42:5d:2f:c5:0c:8a:
         47:0a:3f:b3:9b:9c:2a:a9:05:07:42:9c:24:c2:8e:e4:db:91:
         05:68:26:6c:05:17:1a:b2:f8:9b:8a:12:32:1d:02:72:b3:00:
         78:6d:5b:cf
WARNING: no nonce in response
Response verify OK
cert.pem: good
        This Update: Apr 19 12:00:00 2021 GMT
        Next Update: Apr 26 12:00:00 2021 GMT

I am now completely at a loss. As I said, it's an OVA image right here from howtoforge. No changes. One LAN Network adapter, one WAN network adapter.

The yaml files are:
10-localnet-ens33.yaml

Code:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      dhcp4: no
      dhcp6: no
      addresses: [192.168.1.100/24]
      nameservers:
        addresses: [8.8.8.8,8.8.4.4]

20-wan-ens160.yaml

Code:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens160:
      dhcp4: no
      dhcp6: no
      addresses: [XX.XX.XX.XX/XX]
      gateway4: YY.YY.YY.YY
      nameservers:
        addresses: [8.8.8.8,8.8.4.4]

 

Nope. I just put the timeout to 0.5 seconds and the cache time to 86400. When I put timeout = 100 in the .vhost file the website is unreachable.
Sometimes the OCSP Check from Qualys (Revocation Status and OCSP stapling test) works and sometimes not. That depends on Qualys infrastructure, and is not in hand of the tested server.

I can ping / dig / wget etc. the r3.o.lencr.org without problems from the terminal.

Code:

# dig +trace r3.o.lencr.org

; <<>> DiG 9.16.1-Ubuntu <<>> +trace r3.o.lencr.org
;; global options: +cmd
.                       6657    IN      NS      l.root-servers.net.
.                       6657    IN      NS      k.root-servers.net.
.                       6657    IN      NS      j.root-servers.net.
.                       6657    IN      NS      i.root-servers.net.
.                       6657    IN      NS      a.root-servers.net.
.                       6657    IN      NS      h.root-servers.net.
.                       6657    IN      NS      g.root-servers.net.
.                       6657    IN      NS      f.root-servers.net.
.                       6657    IN      NS      e.root-servers.net.
.                       6657    IN      NS      d.root-servers.net.
.                       6657    IN      NS      c.root-servers.net.
.                       6657    IN      NS      b.root-servers.net.
.                       6657    IN      NS      m.root-servers.net.
;; Received 262 bytes from 127.0.0.53#53(127.0.0.53) in 0 ms

org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
org.                    86400   IN      DS      26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org.                    86400   IN      RRSIG   DS 8 1 86400 20210505050000 20210422040000 14631 . evq5YkCb288xJL7sFAHgwWsSNbXtoysP8RddMYLaNas9WjAy7R6bPMro 0MDGWacjOBE+lwQ2kZWUtQmZ4rOiskpbnj5qVjfz+tRE8kKPSmgBFmUF tpNAwgvFuf4iBaC69L6zFnDsn823eNs6jVAi8aVXOAXdA770wEIF+eMz vJpbVb1kmcdCqEz/dS6jmvCRHaf8vcyKg5FEmZSurvsrzFAtYL3eZFC1 moHDvygfRPj582IP5b3xjb6rUst222TwPYvN7H3kqkqlgV98kDEwxfKm TgIuhK/o0AbAVijGvAysU+a8YpeZHwg3TrMWO48+pJlx8PBzdfvoZ6zz 3OApfg==
;; Received 780 bytes from 198.97.190.53#53(h.root-servers.net) in 28 ms

lencr.org.              86400   IN      NS      owen.ns.cloudflare.com.
lencr.org.              86400   IN      NS      vera.ns.cloudflare.com.
d6n22mffurrkkhup4jscmntse266m0lq.org. 86400 IN NSEC3 1 1 100 332539EE7F95C32A D6N6GR81BV9D3CE1VSG6FN5BAU7UB671 NS SOA RRSIG DNSKEY NSEC3PARAM
h2jg5l9o22o2nct0l8nomqtp76tmbc5m.org. 86400 IN NSEC3 1 1 100 332539EE7F95C32A H2JNCC39JAN839KCFU4ROU2L2N0R30MM NS DS RRSIG
d6n22mffurrkkhup4jscmntse266m0lq.org. 86400 IN RRSIG NSEC3 8 2 86400 20210513075131 20210422065131 27558 org. FssOFNoansk+bwoVy0ZURdlwKKaFrSk1RLRIw9Y/0Um47flg0Z9MMVdq jw80InDqKjIQSdqCgNg7Ru3nvVvyJiMK+gjHUMeoVGHuzqtIiszVulkn vwT578whKag+0dst3t+f7OzeesIpblgWzUfxMMo0Ko+RgqA5khaeww4o acw=
h2jg5l9o22o2nct0l8nomqtp76tmbc5m.org. 86400 IN RRSIG NSEC3 8 2 86400 20210508153229 20210417143229 27558 org. f2MpjK6+kIJTNhEsTZT+PEFbwEKFRi+qx7trSfYN1QSylroreryw4cPQ MtAVyU1C8z7lBXFQSGGialSFJQDxz9qjdYvUSmjUVZR5OnipM4SCzpW3 HTdvVTPJn6tnrNcBM/mzK5q/I0HSsaDYgLMvDA/L9K+mMHr1ywj1ilAj 3fQ=
;; Received 599 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 36 ms

r3.o.lencr.org.         120     IN      CNAME   o.lencr.edgesuite.net.
;; Received 78 bytes from 173.245.59.219#53(owen.ns.cloudflare.com) in 28 ms