Bug 58826

Summary: OCSP Stapling does not resolve DNS
Product: Apache httpd-2 Reporter: Paul <paul.necsoiu>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: critical CC: cbarbara, not.waf, szg0000, toscano.luca
Priority: P2    
Version: 2.4.18   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Paul 2016-01-08 15:01:37 UTC
I have configured an OCSP responder with OpenSSL 1.0.2d for testing purposes. 
In Apache 2.4.18 a have the fallowing configurations:

SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
SSLStaplingStandardCacheTimeout 60
#SSLStaplingForceURL http://cafe.ro

And in the /etc/hosts file I have:       localhost cafe.ro

When the OCSP URL is set to Apache send OCSP Request messages so everything seems to be OK.

The problem is that when the OCSP URL is set to http://cafe.ro Apache does not send OCSP Requests anymore so I assume that it doesn't resolve DNS.

Does anybody know which is the problem??

These errors are from apache error.log

[ssl:error] [pid 12647:tid 139684667709184] (111)Connection refused: [client] AH01974: could not connect to OCSP responder 'cafe.ro'
[ssl:error] [pid 12647:tid 139684667709184] AH01941: stapling_renew_response: responder error
Comment 1 Luca Toscano 2017-05-08 17:28:48 UTC
Hi Paul,

sorry for the delay. If you still haven't resolved the issue, can you try setting the loglevel to debug (https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) to see the result of this log?

    /* establish a connection to the OCSP responder */
    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973)
                  "connecting to %s '%s'",
                  proxy_uri ? "proxy" : "OCSP responder",

As far as I can see the cafe.ro should be resolved, and in case of failure you should have found an error like the following in your logs:

    if (rv) {
        ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972)
                      "could not resolve address of %s %s",
                      proxy_uri ? "proxy" : "OCSP responder",
        return NULL;

Are you sure that cafe.ro is correctly resolving to on your system?