On 2019-09-26 23:40:45 +0200, Vincent Lefevre wrote: > Control: found -1 2.4.38-3+deb10u1 > > On 2019-07-26 22:30:00 +0200, Vincent Lefevre wrote: > > I sometimes get SEC_ERROR_OCSP_TRY_SERVER_LATER errors in Firefox > > when I connect to my web server. The apache log shows errors like > > > > [Fri Jul 26 20:01:31.355081 2019] [ssl:error] [pid 13552:tid > > 139871725876992] [client 207.46.13.73:1928] AH02321: empty response from > > OCSP server > > [Fri Jul 26 20:01:31.366890 2019] [ssl:error] [pid 13552:tid > > 139871725876992] [client 207.46.13.73:1928] AH01980: bad response from OCSP > > server: (none) > > [Fri Jul 26 20:01:31.366961 2019] [ssl:error] [pid 13552:tid > > 139871725876992] AH01941: stapling_renew_response: responder error > > This still occurs. And when it does, I need to restart apache2.
This may be one of the following upstream bugs: https://bz.apache.org/bugzilla/show_bug.cgi?id=57121 "ocsp stapling should not pass temporary server outages to clients" https://bz.apache.org/bugzilla/show_bug.cgi?id=61453 "OCSP Stapling: SSLStaplingFakeTryLater responses cached too long" https://bz.apache.org/bugzilla/show_bug.cgi?id=61531 "SSLStaplingReturnResponderErrors should return last cached response if is an error upstream" The second one has a link to a very simple patch, in case this is related. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)