You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hajo Locke <Ha...@gmx.de> on 2019/04/24 14:22:44 UTC
[users@httpd] ssl stapling error - sectigo
Hello List,
Apache is 2.4.39, System is Ubuntu 18.04 and 16.04
since yesterday evening we have massive mod_ssl problems with ssl stapling:
Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
AH01941: stapling_renew_response: responder error
We had complaints about slow webpages, this forced us to deactivate
stapling on all our servers.
Affected are certificates of sectigo (previously comodo) with ocsp-url
http://ocsp.sectigo.com
I cant confirm for other providers, we use comodo/sectigo the most.
But it seems there is no basic problem on our system/network because i
can manually confirm ocsp status with openssl on affected machines:
# openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
WARNING: no nonce in response
Response verify OK
crt: good
This Update: Apr 22 12:46:48 2019 GMT
Next Update: Apr 26 12:46:48 2019 GMT
I try to figure out on which side problem is. We use basic sslstapling
directives in /etc/apache2/mods-enabled/ssl.conf
this is unchanged for months
SSLUseStapling On
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Is there somebody who can confirm this behaviour and explain what happens?
Thansk,
Hajo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl stapling error - sectigo
Posted by Stefan Eissing <st...@greenbytes.de>.
There might come up an opportunity in the near future to give
Apache an alternate OCSP stapling implementation. Alternate,
as it is needed for the 2.4.x line. For backward compatibility
reasons, switching strategies must be an opt-in by the user.
I will announce here and on the dev list if/when that should happen
and will be happy to receive feedback on it.
Cheers, Stefan
> Am 25.04.2019 um 16:29 schrieb Hajo Locke <Ha...@gmx.de>:
>
> Hello,
>
> thanks to Tom, who informed me offlist about this. It seems that problem
> was triggered by some kind of maintenance.
> https://sectigo.status.io/pages/history/5938a0dbef3e6af26b001921#
>
> Currently it is working again for us.
>
> Such unexpected problems with ocsp-urls are really annying for visitors
> and admins, only possibility is to deactivate ssl-stapling. We had
> really slow webpages and also complete page load errors.
> Is it possible to change the way the validation-process is included into
> request-process? delivery speed of website should not be affected by
> ocsp problems.
> Tom an I would be happy to have a fix in this case ;)
>
> Thanks,
> Hajo
>
>
> Am 25.04.2019 um 11:43 schrieb Hajo Locke:
>> Hello,
>>
>> Am 25.04.2019 um 09:51 schrieb Stefan Eissing:
>>>
>>>> Am 24.04.2019 um 16:22 schrieb Hajo Locke <Ha...@gmx.de>:
>>>>
>>>> Hello List,
>>>>
>>>> Apache is 2.4.39, System is Ubuntu 18.04 and 16.04
>>>>
>>>> since yesterday evening we have massive mod_ssl problems with ssl
>>>> stapling:
>>>>
>>>> Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
>>>> AH01941: stapling_renew_response: responder error
>>>>
>>>> We had complaints about slow webpages, this forced us to deactivate
>>>> stapling on all our servers.
>>> Sorry to hear that.
>>>
>>>> Affected are certificates of sectigo (previously comodo) with ocsp-url
>>>> http://ocsp.sectigo.com
>>>> I cant confirm for other providers, we use comodo/sectigo the most.
>>>>
>>>> But it seems there is no basic problem on our system/network because i
>>>> can manually confirm ocsp status with openssl on affected machines:
>>>>
>>>> # openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
>>>> WARNING: no nonce in response
>>>> Response verify OK
>>>> crt: good
>>>> This Update: Apr 22 12:46:48 2019 GMT
>>>> Next Update: Apr 26 12:46:48 2019 GMT
>>>>
>>>> I try to figure out on which side problem is. We use basic sslstapling
>>>> directives in /etc/apache2/mods-enabled/ssl.conf
>>>> this is unchanged for months
>>>>
>>>> SSLUseStapling On
>>>> SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
>>>> SSLStaplingResponderTimeout 5
>>>> SSLStaplingReturnResponderErrors off
>>>>
>>>> Is there somebody who can confirm this behaviour and explain what
>>>> happens?
>>> AFIK, there have been no (intentional) changes regarding OCSP
>>> stapling in recent versions. Are you doing the openssl test on the
>>> same machine that the affected servers run?
>>
>> Yes, same server. Apachelog produces the stapling errors, manually
>> confirmation with openssl works.
>> Today it seems the problems are over, but we are afraid of reenabling it.
>> Main problem vor websiteowner/visitors is a significat noticable delay
>> when requesting a site. I think the ocsp stapling process is included in
>> requestprocess and lags the whole process if ocsp url is not acting like
>> expected.
>> Unfortunately i have no technical contact at sectigo who could
>> reestablish my trust into ssl-stapling.
>>>
>>> - Stefan
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>> Thanks,
>> Hajo
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl stapling error - sectigo
Posted by Hajo Locke <Ha...@gmx.de>.
Hello,
thanks to Tom, who informed me offlist about this. It seems that problem
was triggered by some kind of maintenance.
https://sectigo.status.io/pages/history/5938a0dbef3e6af26b001921#
Currently it is working again for us.
Such unexpected problems with ocsp-urls are really annying for visitors
and admins, only possibility is to deactivate ssl-stapling. We had
really slow webpages and also complete page load errors.
Is it possible to change the way the validation-process is included into
request-process? delivery speed of website should not be affected by
ocsp problems.
Tom an I would be happy to have a fix in this case ;)
Thanks,
Hajo
Am 25.04.2019 um 11:43 schrieb Hajo Locke:
> Hello,
>
> Am 25.04.2019 um 09:51 schrieb Stefan Eissing:
>>
>>> Am 24.04.2019 um 16:22 schrieb Hajo Locke <Ha...@gmx.de>:
>>>
>>> Hello List,
>>>
>>> Apache is 2.4.39, System is Ubuntu 18.04 and 16.04
>>>
>>> since yesterday evening we have massive mod_ssl problems with ssl
>>> stapling:
>>>
>>> Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
>>> AH01941: stapling_renew_response: responder error
>>>
>>> We had complaints about slow webpages, this forced us to deactivate
>>> stapling on all our servers.
>> Sorry to hear that.
>>
>>> Affected are certificates of sectigo (previously comodo) with ocsp-url
>>> http://ocsp.sectigo.com
>>> I cant confirm for other providers, we use comodo/sectigo the most.
>>>
>>> But it seems there is no basic problem on our system/network because i
>>> can manually confirm ocsp status with openssl on affected machines:
>>>
>>> # openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
>>> WARNING: no nonce in response
>>> Response verify OK
>>> crt: good
>>> This Update: Apr 22 12:46:48 2019 GMT
>>> Next Update: Apr 26 12:46:48 2019 GMT
>>>
>>> I try to figure out on which side problem is. We use basic sslstapling
>>> directives in /etc/apache2/mods-enabled/ssl.conf
>>> this is unchanged for months
>>>
>>> SSLUseStapling On
>>> SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
>>> SSLStaplingResponderTimeout 5
>>> SSLStaplingReturnResponderErrors off
>>>
>>> Is there somebody who can confirm this behaviour and explain what
>>> happens?
>> AFIK, there have been no (intentional) changes regarding OCSP
>> stapling in recent versions. Are you doing the openssl test on the
>> same machine that the affected servers run?
>
> Yes, same server. Apachelog produces the stapling errors, manually
> confirmation with openssl works.
> Today it seems the problems are over, but we are afraid of reenabling it.
> Main problem vor websiteowner/visitors is a significat noticable delay
> when requesting a site. I think the ocsp stapling process is included in
> requestprocess and lags the whole process if ocsp url is not acting like
> expected.
> Unfortunately i have no technical contact at sectigo who could
> reestablish my trust into ssl-stapling.
>>
>> - Stefan
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
> Thanks,
> Hajo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl stapling error - sectigo
Posted by Hajo Locke <Ha...@gmx.de>.
Hello,
Am 25.04.2019 um 09:51 schrieb Stefan Eissing:
>
>> Am 24.04.2019 um 16:22 schrieb Hajo Locke <Ha...@gmx.de>:
>>
>> Hello List,
>>
>> Apache is 2.4.39, System is Ubuntu 18.04 and 16.04
>>
>> since yesterday evening we have massive mod_ssl problems with ssl stapling:
>>
>> Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
>> AH01941: stapling_renew_response: responder error
>>
>> We had complaints about slow webpages, this forced us to deactivate
>> stapling on all our servers.
> Sorry to hear that.
>
>> Affected are certificates of sectigo (previously comodo) with ocsp-url
>> http://ocsp.sectigo.com
>> I cant confirm for other providers, we use comodo/sectigo the most.
>>
>> But it seems there is no basic problem on our system/network because i
>> can manually confirm ocsp status with openssl on affected machines:
>>
>> # openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
>> WARNING: no nonce in response
>> Response verify OK
>> crt: good
>> This Update: Apr 22 12:46:48 2019 GMT
>> Next Update: Apr 26 12:46:48 2019 GMT
>>
>> I try to figure out on which side problem is. We use basic sslstapling
>> directives in /etc/apache2/mods-enabled/ssl.conf
>> this is unchanged for months
>>
>> SSLUseStapling On
>> SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
>> SSLStaplingResponderTimeout 5
>> SSLStaplingReturnResponderErrors off
>>
>> Is there somebody who can confirm this behaviour and explain what happens?
> AFIK, there have been no (intentional) changes regarding OCSP stapling in recent versions. Are you doing the openssl test on the same machine that the affected servers run?
Yes, same server. Apachelog produces the stapling errors, manually
confirmation with openssl works.
Today it seems the problems are over, but we are afraid of reenabling it.
Main problem vor websiteowner/visitors is a significat noticable delay
when requesting a site. I think the ocsp stapling process is included in
requestprocess and lags the whole process if ocsp url is not acting like
expected.
Unfortunately i have no technical contact at sectigo who could
reestablish my trust into ssl-stapling.
>
> - Stefan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Thanks,
Hajo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ssl stapling error - sectigo
Posted by Stefan Eissing <st...@greenbytes.de>.
> Am 24.04.2019 um 16:22 schrieb Hajo Locke <Ha...@gmx.de>:
>
> Hello List,
>
> Apache is 2.4.39, System is Ubuntu 18.04 and 16.04
>
> since yesterday evening we have massive mod_ssl problems with ssl stapling:
>
> Apr 24 11:20:59 myhostname apache2[16094]: [ssl:error] [pid 16094]
> AH01941: stapling_renew_response: responder error
>
> We had complaints about slow webpages, this forced us to deactivate
> stapling on all our servers.
Sorry to hear that.
> Affected are certificates of sectigo (previously comodo) with ocsp-url
> http://ocsp.sectigo.com
> I cant confirm for other providers, we use comodo/sectigo the most.
>
> But it seems there is no basic problem on our system/network because i
> can manually confirm ocsp status with openssl on affected machines:
>
> # openssl ocsp -issuer bundle -cert crt -url http://ocsp.sectigo.com
> WARNING: no nonce in response
> Response verify OK
> crt: good
> This Update: Apr 22 12:46:48 2019 GMT
> Next Update: Apr 26 12:46:48 2019 GMT
>
> I try to figure out on which side problem is. We use basic sslstapling
> directives in /etc/apache2/mods-enabled/ssl.conf
> this is unchanged for months
>
> SSLUseStapling On
> SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(2560000)
> SSLStaplingResponderTimeout 5
> SSLStaplingReturnResponderErrors off
>
> Is there somebody who can confirm this behaviour and explain what happens?
AFIK, there have been no (intentional) changes regarding OCSP stapling in recent versions. Are you doing the openssl test on the same machine that the affected servers run?
- Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org