OCSP error is taking down my site in firefox

mike817 · September 3, 2016, 4:07pm

tialaramex:

It may be difficult to inspect this because it's managed from cpanel, but is your Apache doing OCSP stapling?

Because having web browsers talk to an OCSP server for every new connection has negative privacy implications and can hurt reliability (sort of as you're seeing here) there is a feature called OCSP stapling, where the OCSP response instead of being fetched from a server by each web browser, is fetched from the OCSP server periodically by the web server, and then it "staples" that to the certificates it sends over, so browsers get the same information (signed by the CA) but don't have to make another connection to get it.

However, with OCSP stapling problems that used to definitely be with the OCSP server, now might be trouble on your web server. Apache is definitely capable of fetching a "try later" response and then stapling that to certificates and sending those over, which is, -ugh- I don't know how they thought that option was helpful.

If you definitely have, or think you might have, OCSP stapling enabled, then short of disabling it, which may not be possible from cpanel, you could try restarting the Apache server itself if that's possible and then try the site a couple of time, leaving a few seconds between each try ? I think that when it's restarted it will fetch a fresh OCSP response and so it might get a good response this time.

Still awkward though, really all the major web servers need to do better at OCSP stapling. Nobody wants an expired or invalid OCSP response, and nobody wants to wait a few seconds after each restart for it to work properly.

It looks like it's on in the httpd.conf:

<IfModule ssl_module>
   # cipher and protocol directives can be set in WHM under 'Apache Configuration' -> 'Global Configuration'
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AE$
    SSLProtocol All -SSLv2 -SSLv3
    SSLPassPhraseDialog  builtin

    <IfModule socache_shmcb_module>
        SSLUseStapling on
        SSLStaplingCache shmcb:/etc/apache2/run/stapling_cache_shmcb(256000)

        # Prevent browsers from failing if an OCSP server is temporarily broken.
        SSLStaplingReturnResponderErrors off
        SSLStaplingErrorCacheTimeout 60
        SSLSessionCache shmcb:/etc/apache2/run/ssl_gcache_data_shmcb(1024000)
    </IfModule>
    <IfModule !socache_shmcb_module>
        SSLSessionCache dbm:/etc/apache2/run/ssl_gcache_data_dbm
    </IfModule>

    SSLSessionCacheTimeout  300
    Mutex                   file:/etc/apache2/run ssl-cache
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin

    # The Listen port can be updated using 'Tweak Settings' -> 'System',
    # However, if you have any Apache Reserved IPs, then this Tweak setting will
    # be ignored. Instead, each IP on your system (excluding Apache Reserved IPs)
    # will be listed here.
    Listen 0.0.0.0:443
    Listen [::]:443

    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl
</IfModule>