LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] LVS and OCSP Stapling

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [lvs-users] LVS and OCSP Stapling
From: Brian Adams <brian@xxxxxxxxxxxxxxxx>
Date: Thu, 14 Apr 2016 17:30:05 -0400
I've been searching and trying things all day and can't seem to get OCSP
stapling working on my web server farm.

I don't believe it is a firewall issue, as I've taken it out of the
equation and still encounter the same issue. I've also tested this on a
machine not behind the load balancer and it seems to work (I get a response
from openssl s_client, though the online ssl testers still show stapling as
not working).

I am using nginx on several web servers fronted with LVS NAT. LVS is
listening on both 80 and 443 so that it can redirect the requests back to
nginx.

I have the appropriate settings/files on all of the web servers, but am
getting a timeout when testing it (I've tried several variations of this
command):

openssl s_client -connect mydomain.com:443 -tls1  -tlsextdebug  -status

and I get:

Socket: Connection timed out
connect:errno=110

I also cannot telnet to mydomain on either 80 or 443. So I'm suspected at
this point that the LVS server is the culprit. Is there a way to either set
up a cert on that machine or configure it to pass back to the web servers
to handle the OCSP/openssl requests?


Thanks,
Brian
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>