Stapling error message from Apache

My domain is:
epopen.com
My web server is (include version):
Apache 2.4.54
The operating system my web server runs on is (include version):
FreeBSD 13.1-RELEASE
I can login to a root shell on my machine (yes or no, or I don't know):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot-1.29.0

Hi All

I got error message short periodic since using Let's Encrypt as follows..

[Fri Sep 02 09:08:59.563529 2022] [ssl:error] [pid 37:tid 34401891072] AH01936: stapling_check_response: response times invalid
[Fri Sep 02 09:08:59.563686 2022] [ssl:error] [pid 37:tid 34401891072] AH01943: stapling_renew_response: error in retrieved response!
[Fri Sep 02 09:19:41.964499 2022] [ssl:error] [pid 37:tid 34401790720] AH01936: stapling_check_response: response times invalid
[Fri Sep 02 09:19:41.964666 2022] [ssl:error] [pid 37:tid 34401790720] AH01943: stapling_renew_response: error in retrieved response!
[Fri Sep 02 09:35:46.852414 2022] [ssl:error] [pid 37247:tid 34401785344] AH01936: stapling_check_response: response times invalid
[Fri Sep 02 09:35:46.852575 2022] [ssl:error] [pid 37247:tid 34401785344] AH01943: stapling_renew_response: error in retrieved response!
[Fri Sep 02 10:02:15.346355 2022] [ssl:error] [pid 37247:tid 34401767424] AH01936: stapling_check_response: response times invalid
[Fri Sep 02 10:02:15.347322 2022] [ssl:error] [pid 37247:tid 34401767424] AH01943: stapling_renew_response: error in retrieved response!
[Fri Sep 02 10:22:21.561221 2022] [ssl:error] [pid 37247:tid 34401892864] AH01936: stapling_check_response: response times invalid
[Fri Sep 02 10:22:21.561386 2022] [ssl:error] [pid 37247:tid 34401892864] AH01943: stapling_renew_response: error in retrieved response!

I googled the issue, found https://community.letsencrypt.org/t/ocsp-server-sending-expired-responses-stapling-breaks-chrome/23964/3
Talk about the issue in the topic, but my result is fine as follow.

OCSP response: 
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

Therefore it is not my issue, root cause unknown and have not solution.

  • About firewall, apache can be access outside internet as port 80 & 443
  • About apache, configure as follow.
    SSLUseStapling On
    SSLStaplingCache "shmcb:/var/run/ssl_stapling(128000)"
    SSLStaplingStandardCacheTimeout 3600
    SSLStaplingErrorCacheTimeout 600
    SSLStaplingResponderTimeout 5
    SSLStaplingResponseMaxAge 900
    SSLStaplingReturnResponderErrors on

Please help debug. :slightly_smiling_face:
Thanks a lot.

1 Like

Other volunteers may be willing to help educate you and configure Apache for stapling. It's more than I wish to take on. I will refer you to these topics. These are good background for understanding stapling and Apache.

The blog referred to in above thread:
https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html

4 Likes

Thanks your a lot.
I will try your suggestion due try too many times to reach the limit before, therefore other try after 7 days. :sweat_smile: :sweat_smile: :sweat_smile:

1 Like

There is a staging environment specifically created for testing.

3 Likes

And here is Let's Encrypt docs on Staging Environment - Let's Encrypt

1 Like

Thanks all very much.
I reading and testing.

2 Likes