OCSP logs on Ispconfig 3.1

Discussion in 'General' started by Lionheart82, Oct 5, 2016.

  1. Lionheart82

    Lionheart82 Member

    Hello,
    I have upgraded successfully to 3.1 from latest stable in Centos 7.2.
    I have also setup successfully Let's Encrypt certificates in multiple websites.

    I am though receiving (from Ossec) multiple logs like the following on a regular interval:
    [ssl:error] [pid 10581:tid 140716533569280] [client xxx:15483] AH01980: bad response from OCSP server: 502 Bad Gateway

    [ssl:error] [pid 10581:tid 140716533569280] AH01941: stapling_renew_response: responder error

    Any ideas how to proceed?
    Also is there any port we have to open for the OCSP in the firewall perhaps?
     
    Last edited: Oct 5, 2016
  2. Jesse Norell

    Jesse Norell Active Member

    Your server must be able to contact the OCSP URI, which is probably just port 80 (run `openssl x509 -noout -ocsp_uri -in yourcert.pem` to see what the URI is).

    In a quick search, this page explains how to verify the cert against the OCSP gateway: https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
     
  3. Lionheart82

    Lionheart82 Member

    Thank you for the info.
    I have already open port 80 and the url is http://ocsp.int-x3.letsencrypt.org/ and works fine so it seems it is not related to that.
    I will keep monitoring this in case i find out more i ll re-post.
     
  4. Jesse Norell

    Jesse Norell Active Member

    Make sure you have a full certificate chain in use, ie. all the intermediate certificates (I think the file is 'fullchain.pem' from letsencrypt, or separate 'cert.pem' and 'chain.pem'). That is an nginx error you posted, correct? OCSP is working in apache with the ispconfig configuration, but I don't have nginx installed to test.
     
  5. Lionheart82

    Lionheart82 Member

    Actually this is the latest apache not ngix forgot to mention...
    I have narrowed it down to the point that the error is displayed only when apache restarts. Perhaps sometimes is also thrown when someone is accessing the Web site too.

    Sure I will check about a full chain thank you.
     
  6. Jesse Norell

    Jesse Norell Active Member

    The configuration ispconfig creates will point to the correct letsencrypt files, I have verified such sites at ssllabs.com and the OCSP checks are all good. But in checking the server config, I see that I actually setup ssl stapling manually, ispconfig does not do that for you; it includes some config inside the control panel vhost itself, but nothing is setup server-wide. Try:

    Code:
    cat > /etc/apache2/conf-available/ssl-stapling.conf <<EOF
    <IfModule mod_ssl.c>
        SSLUseStapling On
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors Off
        SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)"
    
        SSLCACertificatePath /etc/ssl/certs/
    #    SSLCACertificateFILE /etc/ssl/certs/ca-certificates.crt
    </IfModule>
    EOF
    
    a2enconf ssl-stapling
    service apache2 restart
     
  7. Lionheart82

    Lionheart82 Member

    Hello i have good news!
    Since i am on centos i created the file ssl-stapling.conf on /etc/httpd/conf.d
    With the same content as yours ( i did not enable the bundle as well )
    Code:
    <IfModule mod_ssl.c>
        SSLUseStapling On
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors Off
        SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)"
    
        SSLCACertificatePath /etc/ssl/certs/
        # SSLCACertificateFILE /etc/ssl/certs/ca-bundle.crt
    </IfModule>
    After several tests and Apache restarts there is no message displayed :)
    So it looks like ispconfig itself should have an ssl strapling config set.
     

Share This Page