Manual OCSP Stapling

Jason · February 16, 2016, 6:40am

Is there any way to force Apache to fetch a fresh OCSP response from the Let’s Encrypt OCSP responder manually?

mrtux · February 16, 2016, 1:24pm

Restarting did the track for me. But be aware, that the Let’sEncrypt OCSP responses are valid for four days and seem to be pre-generated (i.e., re-downloading it does not give you a fresh OCSP response).

Troon · February 19, 2016, 11:45am

See my response here:

I use nginx not Apache, but should be transferrable — the actual fetching is not done by the web server. Works really well here.

Jason · February 19, 2016, 7:29pm

Well, the SSL Stapling Cache on my Apache server is “shmcb” (which uses “shared memory segments”) so the OCSP response is never stored on the disk. Therefore, (Apache on its website warns users that change the shmcb of possible performance penalty when there are many users) how can I do that one here, maybe forcing Apache to load a pre-fetched disk file on this “shared memory segment” when OCSP doesn’t respond?

jsha · February 19, 2016, 8:16pm

Unfortunately no. Apache’s current behavior is to do a blocking fetch when it needs to update. See gist.github.com/sleevi/5efe9ef98961ecfb4da8 for some details of what needs to be fixed.

Topic		Replies	Views
Letsencrypt OCSP response times measured? Issuance Tech	13	5677	June 15, 2016
OCSP error is taking down my site in firefox Help	19	13906	October 5, 2016
OCSP requests via openssl not working Help	3	4786	August 9, 2017
OCSP responder returning 503 errors Help	13	3340	July 2, 2020
SSL stapling OCSP error Help	15	7143	January 10, 2018

Manual OCSP Stapling

Related Topics