Using OCSP stapling with LE certificates

Hi,

was anyone able to successfully use Lets Encrypt certificates in conjunction with OCSP stapling yet?

Running the latest version of the KEMP LM 7.2.40.0.15707 at least provides the possibility to enter a DNS name and not an IP address of a desired OCSP server.

Using details provided here https://community.letsencrypt.org/t/setting-up-ocsp-on-a-kemp-to-use-letsencrypt/19025/4 I still end up getting 'OCSP response: no response sent' when I run 'openssl s_client -connect <domain name>:443 -servername <domain name> -status | grep OCSP'.

Other services which I do not load balance and which do OCSP stapling using e.g. Nginx correctly show:

'OCSP Response Data:

    OCSP Response Status: successful (0x0)

    Response Type: Basic OCSP Response'

 

KEMP LM configuration parameters look like the following:

OCSP Server: ocsp.int-x3.letsencrypt.org

OCSP Server Port: 80

OCSP URL: /

Use SSL: unchecked

Allow Access on Server Failure: unchecked (doesn´t matter in this case)

Enable OCSP Stapling: checked

OCSP Refresh Interval: 1 Hour

 

Thanks in advance

Kevin

0

4 comments

Avatar

Nick Smylie

Official comment

As of our .50 release we now send a Host header with OCSP.


Avatar

Kaddour Hallaoui

The LM does not send host name with his request which return an error 400 right now. Opened a feature request for it hopefully to solve this.

0

Avatar

Schaeffer lela

To enable OCSP Stapling in Apache, use the SSLUseStapling directive. If the directive is enabled, mod_ssl will contain an OCSP request for the SSL certificate.

FirstCallOnline

 

0

Avatar

Fritz Kuhn

Certificates are always issued with a predefined expiration date that is included in the signed certificate itself, and browsers always check.

 

WalgreensListens Survey

0

Please to leave a comment.

Didn't find what you were looking for?