Sec_error_ocsp_old_response on reverse proxy

wlnirvana · July 26, 2020, 2:36am

1. Caddy version (`caddy version`):

$ caddy version
v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

My caddy is run as a systemd service, serving a static directory on one domain and reverse proxying to a backend passenger ruby container (with nginx and RoR included) on a subdomain.

a. System environment:

Linux adalab 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

b. Command:

$ ps aux | grep caddy
benben    4126  0.0  0.0  15492  1044 pts/3    S+   10:26   0:00 grep --color=auto caddy
caddy    30275  0.0  1.0 739712 42256 ?        Ssl  Jul08   1:52 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

foobar.com {

        # static pages
        file_server
        root * /home/foobar/webroot/

}

subdomain.foobar.com {
        reverse_proxy localhost:8080

        # logging
        log {
                output file /var/log/caddy.log
        }
}

3. The problem I’m having:

foobar.com works just fine, but visiting subdomain.foobar.com from FireFox generates a sec_error_ocsp_old_response error.

4. Error messages and/or full log output:

No error in the log.

5. What I already tried:

switching to another browser resolves the problem
disabling OCSP in FireFox resolves the problem
access to foobar.com works fine

matt · July 26, 2020, 3:10am

My guess would be as good as yours at this point. What are the full logs, and how can I experience/reproduce this behavior? If you post the actual site that has the problem, that will help.

Also how’s your system clock?

wlnirvana · July 26, 2020, 6:13am

I just restarted caddy and the problem disappeared.

By the way, I happened to find that my /var/log/caddy.log has not been updated for almost two weeks since I upgraded to v2.1.1 because my previous old version did not support the log config syntax.

Is there anything wrong with my config now? Even after the restart, the log file is still not updated at all.

francislavoie · July 26, 2020, 6:31am

The caddy user might not have permissions to write to your log file?

wlnirvana · August 12, 2020, 10:14am

UPDATE:

I happened to see [WARNING] Stapling OCSP: no OCSP stapling for [my.site.com]: making OCSP request: Post "http://ocsp.int-x3.letsencrypt.org": dial tcp 66.220.149.18:80: i/o timeout in the caddy log today, and realized that the OCSP stapling sometimes just fails on my server.

This may well be a firewall issue.

wlnirvana · August 12, 2020, 10:18am

Yeah I believe you are right. When testing the config file I guess I run caddy as root and the log file was created as root owner as well. That’s why later on when caddy was run using systemd services (as user caddy), no more logs could be appended to that file.

I chowned and now it works perfectly.

system · August 25, 2020, 2:36am

This topic was automatically closed after 30 days. New replies are no longer allowed.