DigitalOcean

Report this

What is the reason for this report?
Question

SSL Labs OCSP Stapling NO. OpenSSL test successful

Posted on June 1, 2020
Apache
mikemckenney

By mikemckenney

I have read the setup on your site for OCSP Stapling. SSL Labs states NO on OCSP Stapling

Ubuntu 20.04 OpenSSL 1.1.1g Apache2 2.4.43

<VirtualHost *:443>
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
        ServerName wp.scsiraidguru.com
        ServerAdmin mike.mckenney@scsiraidguru.com
        ServerAlias www.scsiraidguru.com scsiraidguru.com
        DocumentRoot /var/www/wp.scsiraidguru.com/public_html

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/96e3c185b09b612a.crt
        SSLCertificateKeyFile /etc/apache2/ssl/5Cert.key
        SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt
        SSLUseStapling on
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
        CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined

</VirtualHost>

<VirtualHost *:80>
    ServerName wp.scsiraidguru.com
    ServerAlias www.scsiraidguru.com scsiraidguru.com
       Redirect permanent / https://wp.scsiraidguru.com
</VirtualHost>

## Only enable TLS v1.2 and v1.3 and avoid older protocols ##
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:+HIGH:!MEDIUM:!LOW:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DES:!RC4:!MD5:!RSA:!3DES:!SRP:!DSS:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLCompression      off
SSLSessionTickets   off

## Permission for our DocumentRoot  ##
<Directory /var/www/wp.scsiraidguru.com/public_html>
        Options Indexes FollowSymLinks
        AllowOverride All
        </Directory>

# OCSP Stapling
SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
SSLSessionCache         shmcb:var/log/apache2/ssl_scache(512000)
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

I am using Godaddy certificates and bundle. Certificate shows OCSP.Godaddy.com

echo QUIT | openssl s_client -connect wp.scsiraidguru.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2
    Produced At: May 31 14:16:36 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B6080D5F6C6B76EB13E438A5F8660BA85233344E
      Issuer Key Hash: 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
      Serial Number: 96E3C185B09B612A
    Cert Status: good
    This Update: May 31 14:16:36 2020 GMT
    Next Update: Jun  2 02:16:36 2020 GMT

I have my own Ubuntu 20.04 DNS/DHCP servers. Ping and NSLookup works. No access.log or error.log errors.

Any ideas?



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
mikemckenney
mikemckenney
June 2, 2020

@KDSys, I read the article Jesin A OCSP from your site

I figured I would ask your community forum. I read that web sites should have OCSP Stapling. So I am trying to get it working fully.

I followed it. It is hosted at my house on my DL 360e Gen8 under VMWare 6U3. I have 7 virtual hosts on the two WordPress servers. Two of them are my family sites, which are over 160 GB each of videos and pictures. I back up to tape to protect them. Fortinet 60E firewall for protection.

DNS is properly configured and resolves from Godaddy. Fortinet 60E Firewall VIP rules allow ports 80,443 traffic to the virtual servers. Web sites resolve and redirect to port 443. Do they need to resolve to port 80 for OCSP to work? I can get the response but it doesn’t write to the log files.

I saw someone posted ocsp.godaddy.com uses port 80. Godaddy is useless for help.

Ubuntu, Apache, and OpenSSL are on the latest version.

I added these files for shmcb.

sudo a2enmod file_cache
sudo a2enmod authn_socache
sudo a2enmod socache_shmcb

My OCSP Stapling notes page

The cache original path was var/log/apache2/ The permissions are www-data:www-data. Every virtual hosts has a subdirectory under it for the access.log and error.log

ErrorLog /var/log/apache2/wp.scsiraidguru.com/error.log
CustomLog /var/log/apache2/wp.scsiraidguru.com/access.log combined

SSLStaplingCache shmcb:/var/log/apache2/wp.scsiraidguru.com/ssl_stapling_cache(128000)
#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
SSLSessionCache shmcb:var/log/apache2/ssl_scache(512000)

I tried, SSLStaplingCache “shmcb:logs/ssl_stapling(32768)”

This morning I can get a OCSP Response.

echo QUIT | openssl s_client -connect wp.scsiraidguru.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2
    Produced At: Jun  1 14:17:36 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B6080D5F6C6B76EB13E438A5F8660BA85233344E
      Issuer Key Hash: 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
      Serial Number: 96E3C185B09B612A
    Cert Status: good
    This Update: Jun  1 14:17:36 2020 GMT

Next Update: Jun  3 02:17:36 2020 GMT
0
KFSys
KFSys
June 2, 2020

Hi @mikemckenney,

While looking at the apache configuration file I noticed the following

        SSLCertificateFile /etc/apache2/ssl/96e3c185b09b612a.crt
        SSLCertificateKeyFile /etc/apache2/ssl/5Cert.key
        SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt

Those are the SSL files given for the domain wp.scsiraidguru.com, are you sure the SSL is properly added there?

Another thing I found is that both wp.scsiraidguru.com and scsiraidguru.com are not loading from your DigitalOcean droplet. At the moment they are pinging from the IP 50.4.203.235. If you want to have them ping from your Droplet with DigitalOcean, update your DNS from your registrar - GoDaddy. Once you point them to your server, everything should start loading properly.

Regards, KDSys

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.