The let’s encrypt certificate we use has an access delay of more than 15 seconds when using HTTPS. If the access speed is only 2 seconds when using HTTP, I am a Chinese user. What’s the problem?
Certificate automatically renewed March 9
This isn’t something determined by the certificate, more by TLS in general perhaps, of which the certificate is just a small part. Could be OCSP stapeling (didn’t check if that’s enabled or not though), could be lack of CPU power for some part of the handshake.
But in any case not something the Let’s Encrypt certificate influences.
Let's Encrypt have been investigating OCSP connectivity issues in China:
and another thread with Chinese users reporting issues: All letsencrypt certificate show revocation erro information
Sorry, I used (ACME) renewal. Does this involve OCSP connection?
Sort of, yes.
If you have OCSP Stapling enabled on your server, when a certificate is renewed, a new stapling response must be downloaded by your webserver.
This can result in the long handshake delays.
But even if you don’t have OCSP Stapling enabled, the same delay can be experienced on the browser side (for visitors in China), since the browser has to download the OCSP response (since it wasn’t stapled).
#ssl_stapling on;
#ssl_stapling_verify on;
I didn’t open it. Why didn’t I open it?
It was normal before. It started in April
GFW forbid letsencrypt OCSP server ON April . So U can choose set stapling file to pass
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.