Any problem with ocsp.comodoca.com ssl?

garconcn

April 03, 2018 23:28

Found following error repeatedly on multiple servers tonight. [Tue Apr 03 21:21:01.410040 2018] [ssl:error] [pid 58447:tid 139759879960320] (111)Connection refused: [client 66.249.79.119:64552] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com' [Tue Apr 03 21:21:01.410083 2018] [ssl:error] [pid 58447:tid 139759879960320] AH01941: stapling_renew_response: responder error Ping ocsp.comodoca.com got duplicate packets: PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data. 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.89 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.54 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.62 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.62 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.74 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.83 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.83 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.83 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.83 ms (DUP!) 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.95 ms (DUP!) ^C --- ocsp.comodoca.com ping statistics --- 8 packets transmitted, 7 received, +14 duplicates, 12% packet loss, time 7008ms rtt min/avg/max/mdev = 4.540/4.794/5.099/0.180 ms

Comments

32 comments

garconcn

April 04, 2018 04:39
I found some https sites are slow at "performing a TLS handshake to domain.com", sometimes the site get times out.
0
KazeDesu

April 04, 2018 05:03
I am having the same issue, I contacted Comodo, and their response: [QUOTE] Sorry for the inconvenience! We are experiencing an issue with OCSP responder, please do allow some time to get it's resolved. The issue has been escalated already and our team is working on this.
0
cPanelLauren

April 04, 2018 12:56
Hello, We are aware of the issue with Comodo as well and we're currently tracking it as part of an internal case CPANEL-19612. We'll update this thread with more information as soon as it becomes available You can work around this issue by temporarily disabling SSL Stapling in Apache. This will cause client browsers to perform the OCSP check instead of waiting on your server to perform the check. The quickest way to do this is to: 1) Navigate to WHM -> Service Configuration -> Apache Configuration -> Include Editor. 2) Under "Pre Virtualhost Includes" set the drop-down to "All Versions" 3) In the text box, enter the following: SSLUseStapling off 4) Click "Update" to save the changes, and then restart Apache. ===== Alternatively, if you wish to do this via the command line, the following can be run: For EA4: == == == == == == == == echo "SSLUseStapling off" >> /etc/apache2/conf.d/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd == == == == == == == == For EA3: == == == == == == == == echo "SSLUseStapling off" >> /usr/local/apache/conf/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd == == == == == == == == Once this issue has been resolved, we recommend removing this workaround. Thank you,
0
benwbandm

April 04, 2018 16:30
I've just given this a try and I can see my browser trying to perform the TLS handshake, the above doesn't seem to have solved anything. I'll keep an eye on this thread.
0
cPanelLauren

April 04, 2018 16:38
Hello @benwbandm I'm sorry that it didn't work for you, looking at the internal case it appears that it was closed earlier due to the issues with Comodo having been resolved. If you're still experiencing issues with this and the workaround isn't working for you I would suggest opening a ticket using the link in my signature so we can look further into the issue for you.
0
benwbandm

April 04, 2018 18:05
Hey @cPanelLauren - I've got a ticket open (9411947) - Just awaiting a reply, strangely I'm only having issues with SSL.
0
cPanelLauren

April 04, 2018 18:17
Hi @benwbandm Thank you for updating with the ticket number! I've noted this forum post on the ticket as well. I also noticed that you mentioned you're using Let's Encrypt for your certificate so I don't believe this will be related to OCSP issues Comodo was experiencing. I'll check continue to check in on the ticket as well. Thank you,
0
benwbandm

April 04, 2018 18:23
Hey @cPanelLauren - I've switched between both LE and Cpanel AutoSSL, never of which seem to work. I really cannot get my head around how the SSL side of stuff just suddenly crashes and burns. If you could nudge someone slightly it would be appreciated as this problem is now affecting another server! I'm aware there are other problems to address too :)
0
cPanelLauren

April 04, 2018 18:29
Hi @benwbandm I see I'll keep watching it as well. I can see what I can do but our techs are busier than normal today, I am sorry for the delay.
0
chufrog

April 06, 2018 06:15
We encounter exactly the same issue. Lots of our client not happy with it.
0
cPanelLauren

April 06, 2018 10:14
Hi @chufrog I just checked in on the issue that @benwbandm was having. The issue actually spawned an internal case EA-7379 the resolution of which was pushed yesterday and has solved the issue for @benwbandm servers. This issue is related to a problem with mysql-1.so within the apr-util causing segfaults when loading pages over https. This issue did turn out to be different than the Comodo OCSP issues that were first presented in this thread but if you are experiencing this issue and the update which was pushed overnight did not resolve It I would strongly urge you to open a ticket with us using the link in my signature. Thank you,
0
chufrog

April 06, 2018 11:14
Sorry for the misleading message. I encounter the same issue
0
cPanelLauren

April 06, 2018 11:43
Hi @chufrog If this is still occurring and the workaround did not work for you could you please open a ticket using the link in my signature? From what we're seeing the comodo issue appears to be resolved at this time and the internal case has been marked as complete. Thank you,
0
chufrog

April 06, 2018 14:56
Thank you, we will set SSLUseStapling to off if we encounter such issue again.
0
cPanelLauren

April 06, 2018 15:30
Hi @chufrog That should work! Please let us know if you have any further issues with this. Thank you,
0
chufrog

April 23, 2018 09:42
Such error happen again right now. The workaround not work.
0
bruzli

April 23, 2018 12:47
same issue here, fixed with SSLUseStapling off
0
cPanelLauren

April 23, 2018 12:51
Hello, It does appear that Comodo is again experiencing issues with this. @chufrog can you please open a ticket so that we can take a closer look? SSLUseStapling off should resolve the issue and I'm concerned that yours may be different. Thank you,
0
chufrog

April 23, 2018 12:54
Hello, It does appear that Comodo is again experiencing issues with this. @chufrog can you please open a ticket so that we can take a closer look? SSLUseStapling off should resolve the issue and I'm concerned that yours may be different. Thank you,

Thank you. We have a ticket on buycpanel.com, ticket id: 831732
0
cPanelLauren

April 23, 2018 12:55
Hello, Do you know if buycpanel opened a ticket with us and what that ID is? That isn't a recent Ticket ID number for our ticket system. Thank you,
0
chufrog

April 23, 2018 13:01
We confirmed we have a ticket 831732, created on 04/23/2018 (02:37), on buycpanel.com
0
cPanelLauren

April 23, 2018 13:03
Hi @chufrog That is a buycpanel ticket ID number, I am wondering if they, in turn, opened a ticket with us. Please let us know the outcome of the ticket with buycpanel Thank you,
0
chufrog

April 23, 2018 13:07
They just said they will escalate this issue to L4 team. is that L4 team belongs to cPanel, or still a buycpanel internal support team?
0
cPanelLauren

April 23, 2018 13:10
Hi @chufrog My assumption is yes considering I cannot find a ticket ID that matches yours nor can I see a ticket that of the same nature active for L3 or above. Thank you,
0
cPanelLauren

April 24, 2018 16:22
Hi everyone, I wanted to update that we are aware of ongoing intermittent issues with Comodo's OCSP responders. We have been communicating with Comodo directly for information on this issue and when it will be resolved. If you would like to contact them directly you can do so here: Comodo - Powered by Kayako Help Desk Software Thank you,
0
MuNLoK

April 24, 2018 18:00
Hi @cPanelLauren Thank you for the update. Here we also had to activate the workaround yesterday (SSLUseStapling off) due to the Comodo's OCSP responders intermittent issues. We would appreciate if you inform us here once you have a response from Comodo and when the issue is solved, in order to deactivate it. Thank you!
0
cPanelLauren

April 24, 2018 18:13
Hi @MuNLoK Of course! I will definitely. At this time I have no new information. As soon as I do I will update this thread. Thank you,
0
cPanelLauren

April 24, 2018 18:19
Hello, Comodo has indicated that they were experiencing issues yesterday with this in some European locations but the issue should be resolved. If you are still experiencing issues with this they are requesting examples. If you are continuing to experience OCSP issues with Comodo please open a ticket using the link in my signature and reply here with the ticket ID. Thank you,
0
ryodo

April 25, 2018 19:13
Hello, Comodo has indicated that they were experiencing issues yesterday with this in some European locations but the issue should be resolved. If you are still experiencing issues with this they are requesting examples. If you are continuing to experience OCSP issues with Comodo please open a ticket using the link in my signature and reply here with the ticket ID. Thank you,

Hi Lauren - thank you for the tip about turning off stapling in Apache. That fix did the trick. Our server went down this morning around 10:15 or so, and the log was filled with the same entries about ocsp.comodoca.com not being reachable. I couldn't manually access them, either. I inserted the line to turn off SSL stapling and the problem was immediately solved. Our server is in Los Angeles, at the Wilshire One data center.
0
cPanelLauren

April 25, 2018 19:22
Hi @ryodo I'm glad to hear that it worked for you. We are getting reports from Comodo on continuing intermittent issues. They sent out the following status notification today: [QUOTE] Current Status: Degraded Performance Started: 4/25/2018 6:15pm (+0000) Resolved: Affected Infrastructure Components: ComodoCA, Website Locations: EmailQueue, Primary Data Center, Signing Update: We have received multiple intermittent customer reports of issues accessing our OCSP and CRL servers as well as other latency related issues. We are continuing to investigate and will provide an ETA when available. The issues seem to predominantly affect users in the US-West, Japan, Australia, South Korea, and the Pacific Rim.
We're also now opening a new tracking case per incident to better track the issues to view the trend the one we've currently opened is CPANEL-20007 Thank you,
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?