17th March 2016
OCSP Stapling on Apache 14.04 using Lets Encrypt
So I recently moved this website from managed shared hosting with Heart Internet to Digital Ocean. The primary reason for me to do this because I wanted to implement https on my website. This means I can offer secure browsing, allows me to experiment with http2 and service worker (both require https). Thankfully Digital Ocean has a collection of helpful tutorials that guide you through the process of installation and configuration.
But they didn’t have a tutorial to handle OCSP and Lets encrypt so this article pulls together information from a few sources that I used to get OCSP stapling working on my site.
What is OCSP Stapling?
So https encrypts web traffic but it can negatively impact page load speed as it requires another round trip to the certificate vendor to determine whether the certificate is valid. If it is, the page loads as per normal. If not the user is presented with an error page.
OCSP stapling allows the server to provide information about the validity about its own certificates using a stored response from the certificate vendor which it sends to the browser with the certificate. This response has been time stamped by the certificate vendor and its the timestamp thats verified by the browser to determine if it should be trusted or not.
OCSP reduces the need to contact the certificate vendor directly which makes the https connection handshake faster and this reduces page load times. Your can read more on OCSP stapling at Max CDN.
Lets get started
The process is actually alot simpler than it sounds
You’ll find the files you need to edit in the apache virtual hosts config files (update example.com with your domain). It might be easier to
cd to the
sites-enabled directory and
ls to display files.
$ sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf
<IfModule mod_ssl.c> SSLStaplingCache shmcb:/tmp/stapling_cache(128000) <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName example.com ServerAlias example.com DocumentRoot /var/www SSLEngine on SSLCertificateFile /etc/letsencrypt/live/
/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/
/privkey.pem SSLCACertificateFile /etc/letsencrypt/live/
/chain.pem SSLUseStapling on Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>
Make sure you put the staplingCache outside of virtual host!
You need to update all instances of example.com to your domain then save and exit. More info on certificate locations for lets encrypt
Next you need to check if its setup correctly using.
$ sudo apachectl -t
The sudo is important as it will fail without it as it won’t be able to access the secure certificates directory.
So hopefully everything is up and sorted with no errors. We need to test the OCSP response is being generated. To do this use (replace: example.com with your domain):
echo QUIT | openssl s_client -connect www.example.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
If its working you’ll get something like this:
OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1 Produced At: Mar 14 19:19:00 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: BC5772E2797C56E39994598D75A4A3D24C4C85C5 Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 015BCCF1BB356B7C3921A4A55EDA1BF4E238 Cert Status: good This Update: Mar 14 19:00:00 2016 GMT Next Update: Mar 21 19:00:00 2016 GMT
If its not working you’ll get nothing.
I also use SSLlabs to check the security of the ssl and it should show the OCSP status as yes.
And your done. I hope this helps 🙂
Other useful links for SSL config: