tomputer
Verified User
We noticed that Apache was hanging because the OCSP responders from Let's Encrypt are or were unreachable.
On our DirectAdmin servers with Apache, we use the following OCSP stapling settings:
When looking in the error_log we see that Apache tried to connect to the responder and then hits the responder timeout:
Eventually, after enough pending requests, this seems to result in Apache hitting the MaxRequestWorkers:
As a temporary workaround SSLUseStapling has been disabled but this is a pretty lame workaround. I'm wondering if there is a better fix or workaround available.
Has anyone else experienced this issue before?
On our DirectAdmin servers with Apache, we use the following OCSP stapling settings:
Code:
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/log/httpd/stapling_cache(128000)When looking in the error_log we see that Apache tried to connect to the responder and then hits the responder timeout:
Code:
[Thu May 05 12:33:55.760348 2022] [ssl:error] [pid 12794:tid 140124843042560] (70007)The timeout specified has expired: [client 157.55.39.236:60212] AH01974: could not connect to OCSP responder 'r3.o.lencr.org'Eventually, after enough pending requests, this seems to result in Apache hitting the MaxRequestWorkers:
Code:
[Thu May 05 12:33:58.516733 2022] [mpm_event:error] [pid 53418:tid 140125817120896] AH03490: scoreboard is full, not at MaxRequestWorkers.Increase ServerLimit.As a temporary workaround SSLUseStapling has been disabled but this is a pretty lame workaround. I'm wondering if there is a better fix or workaround available.
Has anyone else experienced this issue before?