17th March 2016

OCSP Stapling on Apache 14.04 using Lets Encrypt

So I recently moved this website from managed shared hosting with Heart Internet to Digital Ocean. The primary reason for me to do this because I wanted to implement https on my website. This means I can offer secure browsing, allows me to experiment with http2 and service worker (both require https). Thankfully Digital Ocean has a collection of helpful tutorials that guide you through the process of installation and configuration.

But they didn’t have a tutorial to handle OCSP and Lets encrypt so this article pulls together information from a few sources that I used to get OCSP stapling working on my site.

What is OCSP Stapling?

So https encrypts web traffic but it can negatively impact page load speed as it requires another round trip to the certificate vendor to determine whether the certificate is valid. If it is, the page loads as per normal. If not the user is presented with an error page.

OCSP stapling allows the server to provide information about the validity about its own certificates using a stored response from the certificate vendor which it sends to the browser with the certificate. This response has been time stamped by the certificate vendor and its the timestamp thats verified by the browser to determine if it should be trusted or not.

OCSP reduces the need to contact the certificate vendor directly which makes the https connection handshake faster and this reduces page load times. Your can read more on OCSP stapling at Max CDN.

Lets get started

The process is actually alot simpler than it sounds

Prerequisites:

You’ll find the files you need to edit in the apache virtual hosts config files (update example.com with your domain). It might be easier to cd to the sites-enabled directory and ls to display files.

$ sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf

Update the the virtual host to look like this (Source: Digital Ocean (Modified for Lets Encrypt))

<IfModule mod_ssl.c>
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
    <VirtualHost *:443>

            ServerAdmin webmaster@localhost
            ServerName example.com
            ServerAlias example.com
            DocumentRoot /var/www

            SSLEngine on

            SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem 
            SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem 
            SSLCACertificateFile /etc/letsencrypt/live/example.com/chain.pem 

            SSLUseStapling on 

            Include /etc/letsencrypt/options-ssl-apache.conf 

</VirtualHost> 
</IfModule> 

Make sure you put the staplingCache outside of virtual host!

You need to update all instances of example.com to your domain then save and exit. More info on certificate locations for lets encrypt

Next you need to check if its setup correctly using.

$ sudo apachectl -t 

The sudo is important as it will fail without it as it won’t be able to access the secure certificates directory.

Testing

So hopefully everything is up and sorted with no errors. We need to test the OCSP response is being generated. To do this use (replace: example.com with your domain):

echo QUIT | openssl s_client -connect www.example.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

If its working you’ll get something like this:


OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
    Produced At: Mar 14 19:19:00 2016 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: BC5772E2797C56E39994598D75A4A3D24C4C85C5
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 015BCCF1BB356B7C3921A4A55EDA1BF4E238
    Cert Status: good
    This Update: Mar 14 19:00:00 2016 GMT
    Next Update: Mar 21 19:00:00 2016 GMT

If its not working you’ll get nothing.

I also use SSLlabs to check the security of the ssl and it should show the OCSP status as yes.

 

And your done. I hope this helps 🙂

 

Other useful links for SSL config: