Cloudflare do not support OCSP stapling?


MY domain result at one of testing site shows that my domain do not support OCSP stapling.
Domain Registrar: cloudflare.
Using Advanced SSL certificate from cloudflare.

Please suggest what should I do?

$ echo QUIT | openssl s_client -connect -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

No Result

I’ve asked CF tech support and it’s apparent that there can be delays between OCSP response expiry and CF OCSP staple response pre-fetcher being able to cache and pre-fetch the OCSP response. So you can have intervals where CF protected domains alternate between having an OCSP response and not.

Can you please tell me this in simple language. Did not get any of it.

Cloudflare has a OCSP prefetcher service which actively caches OCSP responses for CF customer’s domains instead of relying on the web server responding to OCSP requests to cache the OCSP response. However, CF has a delay between when an OCSP response expires for a domain and when it re-fetch/prefetches a new up to date OCSP response for your domain. During that delay, your domain won’t serve a OCSP response until CF OCSP prefetcher servcie caches a new OCSP response.

So what is the time frame for new cache?

No idea about the OCSP prefetcher delay.

i was using (cloudflare advanced ssl certificate) for 10+ days. It was showing OCSP not working. I thought digicert will have different setting so I removed letscrypt and install digicert. But now digicert also not showing OCSP stapling.

What would be your best guess for time frame.

No idea, best to submit a ticket with cloudflare support and ask them for a more accurate time frame.

I did, But these days average reply time is more than 1 week.

I think they do not read there own articles

Now how can I solve this issue.

Still no OCSP stapling on my domain. I don’t think they have enabled it for my domain. (Not for even universal SSL).

What is the best way to get this done?

is OCSP stapling not working coz I am using Cloudflare Registrar?

Your registrar choice has nothing to do with OCSP stapling.

At this point there isn’t anything you can do.

@thedaveCA @eva2000
Still waiting for OCSP prefetcher.

both @thedaveCA and I aren’t CF employees so wouldn’t be in a position do to anything beyond suggestion you update your ticket but given the reply you previously got, it looks like OCSP stapling support is spotty right now

1 Like

But if I register a new domain on cloudflare free account today, That domain will have OCSP. Why not my domain?

Only guessing it’s due to where in the queue the domain is for OCSP pre-fetching by CF. OCSP pre-fetched cached responses are only usually valid for 3-5 days and need pre-fetching again and then subsequent pre-fetch would have to go into some form of queue. CF has 26+ million sites so that is quite alot of domains for a queue I suppose.

Again, best to direct that question to ticket support CF staff for a more accurate answer :slight_smile: