Package: apache2 Version: 2.4.25-3+deb9u7 Severity: important I sometimes get SEC_ERROR_OCSP_TRY_SERVER_LATER errors in Firefox when I connect to my web server. The apache log shows errors like
[Fri Jul 26 20:01:31.355081 2019] [ssl:error] [pid 13552:tid 139871725876992] [client 207.46.13.73:1928] AH02321: empty response from OCSP server [Fri Jul 26 20:01:31.366890 2019] [ssl:error] [pid 13552:tid 139871725876992] [client 207.46.13.73:1928] AH01980: bad response from OCSP server: (none) [Fri Jul 26 20:01:31.366961 2019] [ssl:error] [pid 13552:tid 139871725876992] AH01941: stapling_renew_response: responder error I am not the only one getting such an issue. See: https://lafibre.info/cryptographie/ocsp-stapling-lets-encrypt/ https://community.letsencrypt.org/t/ocsp-error-is-taking-down-my-site-in-firefox/19496/4 https://www.reddit.com/r/sysadmin/comments/bh85ze/sectigos_ocsp_stapling_issues_earlier_this_week/ I think that a way to solve this issue is to add another option specifying how long a cached response remains valid in case of error (as long as it satisfies the SSLStaplingResponseMaxAge condition). -- Package-specific info: -- System Information: Debian Release: 9.9 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u7 ii apache2-data 2.4.25-3+deb9u7 ii apache2-utils 2.4.25-3+deb9u7 ii dpkg 1.18.25 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u5 ii procps 2:3.3.12-3+deb9u1 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii lynx [www-browser] 2.8.9dev11-1 Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc6 2.24-11+deb9u4 ii libldap-2.4-2 2.4.44+dfsg-5+deb9u2 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-14 1.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2s-1~deb9u1 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii lynx [www-browser] 2.8.9dev11-1 Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u7 ii apache2-bin 2.4.25-3+deb9u7 -- Configuration Files: /etc/apache2/envvars changed: unset HOME if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" else SUFFIX= fi export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid export APACHE_RUN_DIR=/var/run/apache2$SUFFIX export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX export APACHE_LOG_DIR=/var/log/apache2$SUFFIX export LANG=C export LANG export MY_IPS="127 ::1/128 155.133.131.76 2001:4b99:1:3:216:3eff:fe20:ac98 86.75.119.128 2a02:8429:80cd:3100::/56 80.65.226.245" /etc/apache2/mods-available/ssl.conf changed: <IfModule mod_ssl.c> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: SSLCipherSuite HIGH:!aNULL # SSL server cipher order preference: # Use server priorities for cipher algorithm choice. # Clients may prefer lower grade encryption. You should enable this # option if you want to enforce stronger encryption, and can afford # the CPU cost, and did not override SSLCipherSuite in a way that puts # insecure ciphers first. # Default: Off #SSLHonorCipherOrder on # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported SSLProtocol all -SSLv3 # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On # Enable OCSP stapling. See: # http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#ocspstapling SSLUseStapling On SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)" </IfModule> /etc/apache2/sites-available/000-default.conf changed: <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port # that the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. ServerName joooj.vinc17.net ServerAdmin webmas...@vinc17.org DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Require ip ${MY_IPS} </Directory> </VirtualHost> -- no debconf information
