https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
--- Comment #14 from Fabian Wenk <[email protected]> --- (In reply to [email protected] from comment #13) > > So you did not have any issue at least because there has never been an > outage. This bug was about what happens in case of a temporary outage. I had the Nagios check from https://github.com/pfigel/check-ocsp-stapling in use to check if OCSP Stapling is working on my websites, and it was always happy. On a former workplace with another web server and after a restart the check was complaining about missing OCSP Stapling. For sure there were outages of the OCSP responder from the CA, but a OCSP response usually is valid for multiple days and so cached from Apache httpd. So with Stapling it will still give out a valid response. The issue is, that when the cached OCSP response is reaching its end of validity, then httpd will refresh and drop what currently is in cache, and if at just that moment the CA OCSP responder is down, it will not be able to refresh. But I guess you may have the same behavior with the ocsp_proxy. My mention settings try to work around this and the httpd will not give out an invalid OCSP respond, but just none. Please read the linked entry from blog.hboeck.de I mention in comment #12, it does explain a lot, and at the top it also mention to now use mod_md instead. The only drawback with my mention settings is, that you can not request from your CA to set the 'must staple' in your certificate, as there may be cases your server will not return OCSP. I guess this should be solved when using the new method from mod_md. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
