Skip to main content

You may have noticed our Login page looks different. We're currently improving our systems to provide you with a new more unified login experience.

OCSP responder errors

Saxon Clay
  • Updated

Symptoms

Sites using AutoSSL or other SSL certificates may take an excessively long time to load or time out and entries similar to the following will be present in the Apache error log.

Network is unreachable: could not connect to OCSP responder 'ocsp.comodoca.com'

 

Description

OCSP (Online Certificate Status Protocol) ensures that the current status of a given SSL certificate is always communicated to the web server and the client's browser. This protocol provides updates on if a certificate has been revoked, so the browser knows to refuse the connection. Traditionally the requesting browser makes these checks with the OCSP provider, which extends the time a full SSL/TLS handshake takes and, as a result, makes HTTPS connections longer.

cPanel's Apache installation, by default, implements a technology known as 'OCSP Stapling,' which functions as a type of caching for the OCSP status. Essentially after making the first OCSP connection, the status is "stapled" to the SSL/TLS handshake from the server end, which reduces a significant load on the connecting browser and makes HTTPS connections faster.

The above error comes into play when OCSP Stapling fails because the host server couldn't connect to the certificate authority's OCSP server. This can happen for a variety of reasons. Common reasons include DNS caching causing your server to try connecting to the wrong Ip address, network issues preventing your server from reaching the OSCP server, or the certificate authority may be experiencing service issues.

Many certificate authorities tend to rotate and change the IP addresses where their OCSP server is hosted fairly frequently. This can result in servers trying to access an old IP address for the server, which may fail. This can be verified by checking what your server resolves the OCSP server to versus what a common public DNS resolver resolves.

The most common reason for sites reporting OSCP errors is network errors. Often, as a result of datacenter blocks, server firewalls, or other network interferences, the server is unable to connect to the necessary OCSP server. This can most reliably be verified by simply trying to ping (ping6 for servers with IPv6 configured) the OCSP server in your error.

Infrequently, certificate authorities may have service downtime with their OCSP responder servers. Certificate authorities, such as Sectigo, offer ways to check their service status and will announce if they're experiencing OCSP issues. If there are systemic issues with the OCSP responder servers, there will likely be a notice on their status page and, ideally, a projected ETA for service to be restored.

 

Workaround

DNS Caching causes your server to try connecting to the wrong IP address

Verify that your server's resolvers show a different A record for the OSCP server than another public resolver, such as Google's resolver 8.8.8.8.

# dig A +short ocsp.comodoca.com
ocsp.comodoca.com.edgesuite.net.
a652.dscb.akamai.net.
58.27.86.11
58.27.86.48

# dig A +short ocsp.comodoca.com @8.8.8.8
ocsp.comodoca.com.edgesuite.net.
a652.dscb.akamai.net.
203.106.85.42
203.106.85.66

If you get a different response from the public DNS resolver versus your server, it's very likely your DNS resolves are using cached information and haven't updated the new IP addresses. This is often addressed by waiting until your server's DNS resolvers refresh their cached IP information. Alternatively, you can add the public resolver to your server's resolvers.

How to edit your server's resolver configuration via WHM or SSH

 

Network issues prevent your server from reaching the OCSP server

If you don't receive a response from the OSCP server from the ping/ping6 test, there's likely a network block at play. You should reach out to your datacenter, hosting provider, or server administrator to look into the network routing and determine why your server cannot reach the OCSP server.

As a temporary workaround, OSCP stapling can be disabled in WHM.

  1. Log into WHM as the 'root' user.
  2. Navigate to "Home » Service Configuration » Apache Configuration » Global Configuration."
  3. Turn off the "SSL Use Stapling" setting.
  4. Click the "Save" button at the bottom of the page.

Please note, we recommend keeping OCSP Stapling enabled whenever possible, as this improves the security of your HTTPS connections and improves site load speeds by optimizing the SSL/TLS Handshake.

 

Certificate Authority may be experiencing service issues.

If the certificate authority has service downtime with their OCSP responder servers, you can wait for the OSCP responder servers to come back up or temporarily disable OSCP stapling on your server.

  1. Login to WHM as the 'root' user.
  2. Navigate to "Home » Service Configuration » Apache Configuration » Global Configuration."
  3. Turn off the "SSL Use Stapling" setting.
  4. Click the "Save" button at the bottom of the page.

Please note, we recommend keeping OCSP Stapling enabled whenever possible, as this improves the security in your HTTPS connections and improves site load speeds by optimizing the SSL/TLS Handshake.

Related articles