apache ssl: Do not pass OCSP stapling failures to client

Do not pass OCSP stapling failures to client.
CA's OCSP servers occionally fail, propagating an error is undesireable and causes Firefox and other clients by default to reject the connection.

diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb
index 1e9ea31da62dc532d9e523f56d5376667ed86a44..07f007c50d3951359f5129f9babbccee22a586a8 100644 (file)
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -9,5 +9,6 @@ SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem
 <% if node[:lsb][:release].to_f >= 14.04 -%>
 
 SSLUseStapling On
 <% if node[:lsb][:release].to_f >= 14.04 -%>
 
 SSLUseStapling On

+SSLStaplingReturnResponderErrors off

 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
 <% end -%>
 SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocspcache(512000)
 <% end -%>