[Please help] OCSP Stapling question

bsanz16 · March 7, 2019, 2:02am

Hi All,

Just wanted to find out if anyone has got ocsp stapling working? needing to get this working for PCI Compliance

I have setup before using Apache and Nginx but not with OLS
The panel has been enabled at 7080 and followed the litespeed steps however I am getting

HttpFetch[0]::failed to create file /usr/local/lsws//tmp/ocspcache//R86fc2931712676a7a95307547dc6d06d.tmp: Permission denied.

Values I have in the SSL setting on the list

OCSP Stapling
Enable OCSP Stapling Yes
OCSP Response Max Age (secs) 128000
OCSP Responder http://ocsp.int-x3.letsencrypt.org/
OCSP CA Certificates

I think the bottom path may be incorrect? it noted it will search the server for the cert if not entered if I understand correctly

Thanks in advance

qtwrk · March 7, 2019, 2:48pm

I just tested.

I enabled in SSL listener , since I only added one site in there , max-age to 43200 seconds (12 hours) and URL same as you , tested out.

Did you change anything in /usr/local/lsws/ folder ? the error says permission issue

bsanz16 · March 8, 2019, 1:01am

Thanks for the reply,

I only have one site and did not change anything in usr/local/lsws/ folder, it is a standard centos 7 install…

The only thing I can think of now that may be the issue is I deleted the 1st site added and replaced with another however all the ssl certificates have been recreated.

I will spin up a test vps and try on a fresh install

bsanz16 · March 8, 2019, 3:30am

The problem was a permission issue on /usr/local/lsws//tmp/ocspcache// , /usr/local/lsws//tmp/ and also had the /usr/local/lsws//autoupdate folders permission error

Just set to permissions to 1777 and no errors must be the Centos version Vultr use as never had the issue before when testing ubuntu.

Tested the PCI Compliance ssl test here and get A+ https://www.htbridge.com/ssl/
Only error is in Industry Best-Practices Analysis which notes http does not redirect to https but it does, have added .htaccess codes and still the same

David · November 14, 2019, 4:59pm

I think this issue happens when server running user/group is changed.
How did you install it? And did you make any changes?

David · November 14, 2019, 9:16pm

Yes. I saw this bug in my code, also for the RPM users, we will update the script to make sure the permission is correct.
Right now, can you just run this command in the terminal to fix the issue.

cd /usr/local/lsws
chown -R nobody:nogroup autoupdate/ tmp/
chmod -R 755 autoupdate/ tmp/

Hulst88 · December 10, 2019, 7:28am

Hi, I got still the same errors running latest Cyberpanel>
But when I do command you suggest I get:
chown: invalid group: ‘nobody:nogroup’

terminaldx · December 12, 2019, 3:08am

Hi, I got still the same errors running latest Cyberpanel> But when I do command you suggest I get: chown: invalid group: 'nobody:nogroup'

Try this code, it should be fix this error:

cd /usr/local/lsws//tmp/
chown -R nobody:nobody ocspcache