Apache/2.4.23 (Unix) OCSP Stapling

[ssgill]

Hello i am trying to enable stapling on Apache/2.4.23.

1) /etc/httpd/conf/extra/httpd-ssl.conf

# Specify cached response location (must be outside <VirtualHost>)
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

before

<VirtualHost _default_:443>

2) /usr/local/directadmin/data/users/useraccount/httpd.conf

<VirtualHost XXX.XXX.XX.154:443 >
<IfModule headers_module>
        # Use HTTP Strict Transport Security to force client to use secure connections only
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
	SSLEngine on
    # Enable SSL & OCSP Stapling
        SSLUseStapling on

Tried this edit in httpd-ssl.conf as well but still getting

OCSP response: no response sent

Have all the certificate files linked in domin httpd.conf

SSLCertificateFile /usr/local/directadmin/data/users/userdomain/domains/userdomain.com.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/userdomain/domains/userdomain.com.key
SSLCACertificateFile /usr/local/directadmin/data/users/userdomain/domains/userdomain.com.cacert

Restart Apache
Any thing i am doing wrong or missing.

Thanks for your time and effort.

 

[ssgill]

Figured it out.

First i was testing against domain on shared IP (SNI). Have not found concrete answer if it works for shared ip and/or if it requires special setup.

Domain on their own IP validates.

Thanks

 

[ikkeben]

Figured it out.

First i was testing against domain on shared IP (SNI). Have not found concrete answer if it works for shared ip and/or if it requires special setup.

Domain on their own IP validates.

Thanks

Shared SNI should also work, ask SMtalk, he helped me, sorry i don't know wich part was wrong ( at a wrong place/fileconfig) or failing.

id did myself:
http://forum.directadmin.com/showthread.php?t=52590
https://help.directadmin.com/item.php?id=1

 

[JelleG]

Figured it out.

First i was testing against domain on shared IP (SNI). Have not found concrete answer if it works for shared ip and/or if it requires special setup.

Domain on their own IP validates.

Thanks

I am tryting to set-up OCSP Stapling and I changed all files, but still getting OCSP response: no response sent.
What exactly did you change to remove/disable the domain on shared IP?

I already disabled SNI using enable_ssl_sni=0. But it is still not working.

What am I missing?

EDIT:

Is HTTP/2 required for OCSP Stapling?