https://bz.apache.org/bugzilla/show_bug.cgi?id=63231

            Bug ID: 63231
           Summary: Failing OSCP staple blocks httpd server
           Product: Apache httpd-2
           Version: 2.4.38
          Hardware: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: ch...@lodesys.com
  Target Milestone: ---

Running an Apache web server out of an IBM Softlayer server farm in Dallas.
Evey so often, the Apache hpptd child process restarts (as it should) then
stops responding to page requests when it cannot access OSCP stapling. 

The latest was this morning (all times MST) between 2:31 am and 3:01 am. Here's
a sample from the log file...

[Mon Mar 04 02:31:15.367980 2019] [mpm_winnt:notice] [pid 18232:tid 532]
AH00418: Parent: Created child process 18324
[Mon Mar 04 02:31:32.649236 2019] [mpm_winnt:notice] [pid 18324:tid 3236]
AH00354: Child: Starting 1024 worker threads.
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] (OS 10060)A
connection attempt failed because the connected party did not properly respond
after a period of time, or established connection failed because connected host
has failed to respond.  : [client 207.46.13.24:5884] AH01977: failed reading
line from OCSP server
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] [client
207.46.13.24:5884] AH01980: bad response from OCSP server: (none)
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] AH01941:
stapling_renew_response: responder error

The 3 [ssl:error] lines keep repeating over and over (I have over 40 sites
hosted on my server including lodesys.com and k12irc.org). 

Apache is restarted automatically every 5 minutes when not responding. The
errors persisted until 3:01 am when the OSCP server appears to have started
responding again and no more problems.

Have a ticket in with LetsEncrypt to see what's going on on their end, but
would expect that Apache httpd would not lock up when the OCSP server stops
responding.

Here's my Apache config lines...

SSLUseStapling          on
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off

SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(128000)"
SSLStaplingStandardCacheTimeout 86400

SSLSessionCache  "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300


This issue has happened intermittently over the last week or two. I am looking
at the option of just turning off SSLUseStapling as I need the sites up and
running 24/7.

Would be nice to get this fixed. Any ideas would be appreciated. 

This has been reported previously in Bug 61818. Using the current ApacheLounge
build.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

Reply via email to