[lvs-users] LVS and OCSP Stapling

Brian Adams brian at songmeanings.com
Thu Apr 14 22:30:05 BST 2016


I've been searching and trying things all day and can't seem to get OCSP
stapling working on my web server farm.

I don't believe it is a firewall issue, as I've taken it out of the
equation and still encounter the same issue. I've also tested this on a
machine not behind the load balancer and it seems to work (I get a response
from openssl s_client, though the online ssl testers still show stapling as
not working).

I am using nginx on several web servers fronted with LVS NAT. LVS is
listening on both 80 and 443 so that it can redirect the requests back to
nginx.

I have the appropriate settings/files on all of the web servers, but am
getting a timeout when testing it (I've tried several variations of this
command):

openssl s_client -connect mydomain.com:443 -tls1  -tlsextdebug  -status

and I get:

Socket: Connection timed out
connect:errno=110

I also cannot telnet to mydomain on either 80 or 443. So I'm suspected at
this point that the LVS server is the culprit. Is there a way to either set
up a cert on that machine or configure it to pass back to the web servers
to handle the OCSP/openssl requests?


Thanks,
Brian


More information about the lvs-users mailing list