I have read the setup on your site for OCSP Stapling. SSL Labs states NO on OCSP Stapling
Ubuntu 20.04 OpenSSL 1.1.1g Apache2 2.4.43
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
ServerName wp.scsiraidguru.com
ServerAdmin mike.mckenney@scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com
DocumentRoot /var/www/wp.scsiraidguru.com/public_html
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/96e3c185b09b612a.crt
SSLCertificateKeyFile /etc/apache2/ssl/5Cert.key
SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
SSLUseStapling on
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName wp.scsiraidguru.com
ServerAlias www.scsiraidguru.com scsiraidguru.com
Redirect permanent / https://wp.scsiraidguru.com
</VirtualHost>
## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
## Permission for our DocumentRoot ##
<Directory /var/www/wp.scsiraidguru.com/public_html>
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
# OCSP Stapling
SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
SSLSessionCache shmcb:var/log/apache2/ssl_scache(512000)
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I am using Godaddy certificates and bundle. Certificate shows OCSP.Godaddy.com
echo QUIT | openssl s_client -connect wp.scsiraidguru.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2
Produced At: May 31 14:16:36 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: B6080D5F6C6B76EB13E438A5F8660BA85233344E
Issuer Key Hash: 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
Serial Number: 96E3C185B09B612A
Cert Status: good
This Update: May 31 14:16:36 2020 GMT
Next Update: Jun 2 02:16:36 2020 GMT
I have my own Ubuntu 20.04 DNS/DHCP servers. Ping and NSLookup works. No access.log or error.log errors.
Any ideas?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
@KDSys, I read the article Jesin A OCSP from your site
I figured I would ask your community forum. I read that web sites should have OCSP Stapling. So I am trying to get it working fully.
I followed it. It is hosted at my house on my DL 360e Gen8 under VMWare 6U3. I have 7 virtual hosts on the two WordPress servers. Two of them are my family sites, which are over 160 GB each of videos and pictures. I back up to tape to protect them. Fortinet 60E firewall for protection.
DNS is properly configured and resolves from Godaddy. Fortinet 60E Firewall VIP rules allow ports 80,443 traffic to the virtual servers. Web sites resolve and redirect to port 443. Do they need to resolve to port 80 for OCSP to work? I can get the response but it doesn’t write to the log files.
I saw someone posted ocsp.godaddy.com uses port 80. Godaddy is useless for help.
Ubuntu, Apache, and OpenSSL are on the latest version.
I added these files for shmcb.
My OCSP Stapling notes page
The cache original path was var/log/apache2/ The permissions are www-data:www-data. Every virtual hosts has a subdirectory under it for the access.log and error.log
I tried, SSLStaplingCache “shmcb:logs/ssl_stapling(32768)”
This morning I can get a OCSP Response.
Hi @mikemckenney,
While looking at the apache configuration file I noticed the following
Those are the SSL files given for the domain wp.scsiraidguru.com, are you sure the SSL is properly added there?
Another thing I found is that both wp.scsiraidguru.com and scsiraidguru.com are not loading from your DigitalOcean droplet. At the moment they are pinging from the IP 50.4.203.235. If you want to have them ping from your Droplet with DigitalOcean, update your DNS from your registrar - GoDaddy. Once you point them to your server, everything should start loading properly.
Regards, KDSys