Manual OCSP Stapling


#1

Is there any way to force Apache to fetch a fresh OCSP response from the Let’s Encrypt OCSP responder manually?


#2

Restarting did the track for me. But be aware, that the Let’sEncrypt OCSP responses are valid for four days and seem to be pre-generated (i.e., re-downloading it does not give you a fresh OCSP response).


#3

See my response here:

I use nginx not Apache, but should be transferrable — the actual fetching is not done by the web server. Works really well here.


#4

Well, the SSL Stapling Cache on my Apache server is “shmcb” (which uses “shared memory segments”) so the OCSP response is never stored on the disk. Therefore, (Apache on its website warns users that change the shmcb of possible performance penalty when there are many users) how can I do that one here, maybe forcing Apache to load a pre-fetched disk file on this “shared memory segment” when OCSP doesn’t respond?


#5

Unfortunately no. Apache’s current behavior is to do a blocking fetch when it needs to update. See gist.github.com/sleevi/5efe9ef98961ecfb4da8 for some details of what needs to be fixed.