Symptoms
Sites using AutoSSL or other SSL certificates may take an excessively long time to load or time out and entries similar to the following will be present in the Apache error log.
Network is unreachable: could not connect to OCSP responder 'ocsp.comodoca.com'
Description
OCSP (Online Certificate Status Protocol) ensures that the current status of a given SSL certificate is always communicated to the web server and the client's browser. This protocol provides updates on if a certificate has been revoked, so the browser knows to refuse the connection. Traditionally the requesting browser makes these checks with the OCSP provider, which extends the time a full SSL/TLS handshake takes and, as a result, makes HTTPS connections longer.
cPanel's Apache installation, by default, implements a technology known as 'OCSP Stapling,' which functions as a type of caching for the OCSP status. Essentially after making the first OCSP connection, the status is "stapled" to the SSL/TLS handshake from the server end, which reduces a significant load on the connecting browser and makes HTTPS connections faster.
The above error comes into play when OCSP Stapling fails because the host server couldn't connect to the certificate authority's OCSP server. This can happen for a variety of reasons. Common reasons include DNS caching causing your server to try connecting to the wrong Ip address, network issues preventing your server from reaching the OCSP server, or the certificate authority may be experiencing service issues.
Many certificate authorities tend to rotate and change the IP addresses where their OCSP server is hosted fairly frequently. This can result in servers trying to access an old IP address for the server, which may fail. This can be verified by checking what your server resolves the OCSP server to versus what a common public DNS resolver resolves.
The most common reason for sites reporting OCSP errors is network errors. Often, as a result of datacenter blocks, server firewalls, or other network interferences, the server is unable to connect to the necessary OCSP server. This can most reliably be verified by simply trying to ping (ping6 for servers with IPv6 configured) the OCSP server in your error.
Infrequently, certificate authorities may have service downtime with their OCSP responder servers. Certificate authorities, such as Sectigo, offer ways to check their service status and will announce if they're experiencing OCSP issues. If there are systemic issues with the OCSP responder servers, there will likely be a notice on their status page and, ideally, a projected ETA for service to be restored.
Workaround
DNS Caching causes your server to try connecting to the wrong IP address
Verify that your server's resolvers show a different A record for the OCSP server than another public resolver, such as Google's resolver 8.8.8.8.
# dig A +short ocsp.comodoca.com
ocsp.comodoca.com.edgesuite.net.
a652.dscb.akamai.net.
58.27.86.11
58.27.86.48
# dig A +short ocsp.comodoca.com @8.8.8.8
ocsp.comodoca.com.edgesuite.net.
a652.dscb.akamai.net.
203.106.85.42
203.106.85.66
If you get a different response from the public DNS resolver versus your server, it's very likely your DNS resolves are using cached information and haven't updated the new IP addresses. This is often addressed by waiting until your server's DNS resolvers refresh their cached IP information. Alternatively, you can add the public resolver to your server's resolvers.
How to edit your server's resolver configuration via WHM or SSH
Network issues prevent your server from reaching the OCSP server
If you don't receive a response from the OCSP server from the ping/ping6 test, there's likely a network block at play. You should reach out to your datacenter, hosting provider, or server administrator to look into the network routing and determine why your server cannot reach the OCSP server.
As a temporary workaround, OCSP stapling can be disabled in WHM.
- Log into WHM as the 'root' user.
- Navigate to "Home » Service Configuration » Apache Configuration » Global Configuration."
- Turn off the "SSL Use Stapling" setting.
- Click the "Save" button at the bottom of the page.
Please note, we recommend keeping OCSP Stapling enabled whenever possible, as this improves the security of your HTTPS connections and improves site load speeds by optimizing the SSL/TLS Handshake.
Certificate Authority may be experiencing service issues.
If the certificate authority has service downtime with their OCSP responder servers, you can wait for the OCSP responder servers to come back up or temporarily disable OCSP stapling on your server.
- Login to WHM as the 'root' user.
- Navigate to "Home » Service Configuration » Apache Configuration » Global Configuration."
- Turn off the "SSL Use Stapling" setting.
- Click the "Save" button at the bottom of the page.
Please note, we recommend keeping OCSP Stapling enabled whenever possible, as this improves the security in your HTTPS connections and improves site load speeds by optimizing the SSL/TLS Handshake.
Comments
0 comments
Article is closed for comments.