Turn on OCSP to improve the efficiency of https certificate verification and solve the problem of slow access of Let 's Encrypt SSL certificate

In the past few days, the website visit appeared the problem that the website was opened very slowly for the first time, and the page opened at a normal speed after opening. After research, it was found that the HTTPS certificate verification timeout problem, and the certificate merchant's verification URL could not be accessed. I don't know whether it was a line problem or a wall.

I asked several great gods how to solve the problem of HTTPS certificate verification timeout. The solution given is to either change the certificate provider or open OCSP.

I this kind of poor people which can afford big factory HTTPS certificate ah, can only use the second scheme, start OCSP.

If the site has a free Let 's Encrypt certificate deployed, the first https opening of the site will appear slow, often waiting 45 seconds to open normally. This is due to special reasons, ocsp. int-x3.letsencrypt. org server IP cannot be resolved normally.

In order to improve the website visit experience, you can open OCSP Stapling to solve the problem of slow visit to the website for the first time.

Environment for this article:

Pagoda panel

CentOS 7 / Windows 2012 R2

Apache / Nginx

1. Open OCSP Stapling for overseas servers

1. Configure Apache or Nginx information of the system

Apache Enable OCSP:

① Find the Apache installation directory and edit the httpd-ssl. conf file under the directory. The directory in the CentOS system is:/www/server/apache/conf/extra/httpd-ssl. ssl. The directory in the Windows system is: C:/BtSoft/apache/conf/extra/httpd-ssl. conf. Remove the comments in the following two lines:

SSLUseStapling On

# CentOS:

SSLStaplingCache "shmcb:/www/server/apache/logs/ssl_stapling(32768)"

# Windows:

SSLStaplingCache "shmcb:C:/BtSoft/apache/logs/ssl_stapling(32768)"

If these two lines are not in the file, add them manually.

② Edit the httpd. conf file. The directory in the CentOS system is:/www/server/apache/conf/httpd. conf, and the directory in the Windows system is: C:/BtSoft/apache/conf/httpd. conf. Remove the comment on the following line in the file:

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

If the above line is not in the file, add it manually.

③ Configure the Apache information of the website, and add the following information in the configuration file of the website:

SSLUseStapling On

# CentOS:

SSLStaplingCache "shmcb:/www/server/apache/logs/ssl_stapling(128000)"

# Windows:

SSLStaplingCache "shmcb:C:/BtSoft/apache/logs/ssl_stapling(128000)"

The above information can be added in this 1 line < VirtualHost *:443 > On top of.

At this point, Apache has started OCSP Stapling, and Apache can be restarted.

Nginx Enable OCSP:

Directly in the Nginx configuration file of the website, add the following information:

server {

listen 443;

......

ssl_stapling on; # Turn on stapling

ssl_stapling_verify on; # Turn on stapling authentication

...

}

Save and restart Nginx.

2. Open OCSP Stapling for inland servers

After opening OCSP Stapling, you need to edit the hosts file and specify the IP address of the ocsp. int-x3. letsencrypt. org server under 1.

ocsp. int-x3. letsencrypt. org Server IP addresses are as follows:

23.44. 51.8 (USA)

23.44. 51.27 (USA)

104.109. 129.57 (UK)

104.109. 129.11 (UK)

175.45. 42.209 (Hong Kong)

175.45. 42.218 (Hong Kong)

223.119. 50.201 (Hong Kong)

223.119. 50.203 (Hong Kong)

23.32. 3.72 (Tokyo)

Edit the hosts file, the path in Windows is: C:\ windows\ system32\ drivers\ etc\ hosts, the path in Linux is:/etc/hosts, and add the following information:

175.45.42.218 ocsp.int-x3.letsencrypt.org

Restart Apache or Nginx.

3. Verify that OCSP Stapling started successfully

1. Use the following command in SSH:

openssl s_client-connect www. Your website. com: 443-servername www. Your website. com-status-tlsextdebug < /dev/null 2 > & 1 | grep -i "OCSP response"

If the site returns OCSP response: no response sent, it means that it failed to open.

If the site has successfully enabled OCSP Stapling, the prompt will be returned: successful.

2. Open the following website and enter your website to detect:

https://www.getssl.cn/ocsp

If your website appears to be slow to open the website for the first time, it is also https, so you might as well see if there is something wrong with the certificate

Please pay attention to this site to learn more about the problem of slow opening of websites