Hi all, I’m wondering why I get
OCSP Must Staple Supported, OCSP response not stapled Revocation information OCSP OCSP: http://ocsp.int-x3.letsencrypt.org with the SSLlabs check on both the JSSE and the APR connector. The same cert is working on Apache or Nginx. My version info is: Server version: Apache Tomcat/8.5.38 Server built: Feb 5 2019 11:42:42 UTC Server number: 8.5.38.0 OS Name: Linux OS Version: 4.9.93-boot2docker Architecture: amd64 JVM Version: 11.0.2+9-Debian-3 JVM Vendor: Oracle Corporation My understanding is that tomcat should use OCSP stapling out of the box since Java9 with -Djdk.tls.server.enableStatusRequestExtension=true set or APR with an OCSP enabled (Let’sEncrypt) certificate. The documentation on https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector is not quite clear. I don’t have any client certs to validate. So neither option for the certificateVerification attribute makes sense to me. openssl s_client -connect <myip>:443 -servername <myexternaldns> -tlsextdebug -status gives me "OCSP response: no response sent“. I have checked that the docker container can reach let’s encrypt’s responder. (BTW 443 is natted to 8443/8843 internally) Could you please lead me into the right direction? What am I missing? Thank you. Peter
