Sectigo OCSP Outage 05/01/2019
Is anyone else seeing issues with OCSP from Comodo currently? Getting these errors on all my cPanel servers since around 14:50 UTC today.
I've had to disable OCSP on one of the servers as it was locking up apache after ~ 10 minutes post restart.
[Wed May 01 15:45:05.022337 2019] [ssl:error] [pid 32448:tid 47455874840320] AH01941: stapling_renew_response: responder error
[Wed May 01 15:45:09.434592 2019] [ssl:error] [pid 32448:tid 47455879042816] (70007)The timeout specified has expired: [client 35.198.217.171:42784] AH01985: error reading response from OCSP server
[Wed May 01 15:45:09.434782 2019] [ssl:error] [pid 32448:tid 47455879042816] AH01941: stapling_renew_response: responder error
[Wed May 01 15:45:30.627343 2019] [ssl:error] [pid 32443:tid 47455885346560] (70007)The timeout specified has expired: [client 148.252.194.74:56787] AH01985: error reading response from OCSP server
[Wed May 01 15:45:30.627687 2019] [ssl:error] [pid 32443:tid 47455885346560] AH01941: stapling_renew_response: responder error
[Wed May 01 15:45:33.644663 2019] [ssl:error] [pid 32446:tid 47455870637824] (70007)The timeout specified has expired: [client 148.252.194.74:56791] AH01985: error reading response from OCSP server
[Wed May 01 15:45:33.644918 2019] [ssl:error] [pid 32446:tid 47455870637824] AH01941: stapling_renew_response: responder error
[Wed May 01 15:46:03.866604 2019] [ssl:error] [pid 32444:tid 47455885346560] (70007)The timeout specified has expired: [client 178.82.175.11:46529] AH01985: error reading response from OCSP server
[Wed May 01 15:46:03.866755 2019] [ssl:error] [pid 32444:tid 47455885346560] AH01941: stapling_renew_response: responder error
[Wed May 01 15:46:07.583846 2019] [ssl:error] [pid 32443:tid 47455889549056] (70007)The timeout specified has expired: [client 178.82.175.11:46728] AH01985: error reading response from OCSP server
[Wed May 01 15:46:07.583985 2019] [ssl:error] [pid 32443:tid 47455889549056] AH01941: stapling_renew_response: responder error
[Wed May 01 15:46:12.885442 2019] [ssl:error] [pid 32446:tid 47455883245312] (70007)The timeout specified has expired: [client 178.82.175.11:46917] AH01985: error reading response from OCSP server
[Wed May 01 15:46:12.885587 2019] [ssl:error] [pid 32446:tid 47455883245312] AH01941: stapling_renew_response: responder error
I've had to disable OCSP on one of the servers as it was locking up apache after ~ 10 minutes post restart.
echo "SSLUseStapling off" >> /etc/apache2/conf.d/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
-
Hey, We did open a ticket to cPanel related to this issue. We have more than 20 servers that are crashed right now. 0 -
Thanks @cPanelMichael - I suspected as much, but couldn't see anything myself on their status page either. 0 -
Note: since Sectigo/Comodo started with the singed cpanel certs this has been a normal occurrence from time to time outages are location specific (its a pain) changing the main DNS resolver out to a different location will usually fix. 0 -
This is impacting my servers as well. 0 -
@cPanelMichael Hello, I am having the same issue here also. Have been using the dns Resolver from cloudflare, then switched back to google, and still having intermittent issues with the OCSP. Disabled stapling for now. Should I open a ticket also (you have enough of them ?) or just follow here for updates? Thank you 0 -
got same issue, created a ticked, and disabled stapling. Switching from google to cloudflare resolvers doesn't helps. 0 -
Same here, I dont ever remember turning OCSP stapling on though.... I read about a timeout directive to fall back to non-ocsp, but cant find any documentation on putting this in cpanel. 0 -
I am seeing this issue as well 0 -
If you use Ansible, this one-liner will work Disable SSL Stapling: ansible cpanel_servers -m lineinfile -a "path=/etc/apache2/conf.d/includes/pre_virtualhost_global.conf regexp='SSLUseStapling' line='SSLUseStapling off' state=present" Then restart Apache: ansible cpanel_servers -a "/scripts/restartsrv_httpd" To undo: ansible cpanel_servers -m lineinfile -a "path=/etc/apache2/conf.d/includes/pre_virtualhost_global.conf regexp='SSLUseStapling' state=absent" And restart again: ansible cpanel_servers -a "/scripts/restartsrv_httpd" 0 -
[Note: This was moved from its own thread to here] Hi! What's happening today? At noon, all the websites on my server began timing out. I received a HTTPd service down notification and the server logs are filled with: [Wed May 01 12:34:30.880922 2019] [ssl:error] [pid 11717] (70007)The timeout specified has expired: [client x.x.x.x:3638] AH01985: error reading response from OCSP server [Wed May 01 12:34:30.880976 2019] [ssl:error] [pid 11717] AH01941: stapling_renew_response: responder error PLEASE HELP! EDIT: DE-STAPLING TEMP FIX MENTIOEND ABOVE WORKED FINE. THX 0 -
Glad I am not the only one, I am seeing the same thing on my end. Hundreds of sites offline and the HTTPd service keeps crashing. I am making a quick server snapshot and am going to try restarting (there were updates in queue, was waiting for weekend) and maybe rebuilding apache. Will report back with results. -- Edit -- Restarting did not fix, but the tip above about disabling the OCSP stapling did the trick for now. Will definitely undo that temporary fix once things are back to normal. 0 -
I think OCSP response problem exists only on server that have IPv6 address. I don't have OCSP problem servers without IPV6. 0 -
We have IPV6 disabled and it's crippled several of our servers. Glad there's at least a temporary work around. 0 -
The same issue here. Ticket number is 12156975. Hope you fix it as soon as possible. 0 -
I was able to resolve this by using the following steps: - Install LetsEncrypt AutoSSL provider - found here: cPanel's Official Let's Encrypt Plugin | cPanel Blog - Deleting all SSL certs for affected domains - Restarting Apache - Running AutoSSL for the affected domains Hope this helps someone get back up and running as quick as possible. 0 -
same problem here error reading response from OCSP server 0 -
Hello!! I was able to fix the issue, following: Hello Everyone, Thanks for the reports. We've reached out to Sectigo and are awaiting more information at this time. I'll update this thread with more information as soon as it's available. In the meantime, the temporary workaround instructions from our
0 -
@LoganGraham That's really, really annoying when you have HUNDREDS of domains! Instead go to: WHM >> Service Configuration >> Apache Configuration >> Include Editor >> Pre VirtualHost Include >> All Versions and add the following line then hit "UPDATE" and it completely and immediately fixes the issue: SSLUseStapling off 0 -
Following. Two out of my 12 servers had this issue today! 0 -
I want to know what cPanel is going to do about ensuring that this never happens again. It's ridiculous that I watched 5 servers go down because of this outage. Since Google is forcing everyone to get SSL certificates, issues like this need to be address because we have one serious bottleneck here. 0 -
Hello Everyone, It looks like Sectigo's OCSP responder servers are operating normally again. Let us know if the issue persists after reverting the temporary workaround. Thank you. 0 -
What plans do you have to prevent a repeat performance the next time their servers stop responding? Can you confirm if OSCP Stapling is enabled by default on new cpanel installs? 0 -
I want to know what cPanel is going to do about ensuring that this never happens again. It's ridiculous that I watched 5 servers go down because of this outage. Since Google is forcing everyone to get SSL certificates, issues like this need to be address because we have one serious bottleneck here.
You mean the industry is pushing out something that they didn't fully think all the way through? Color me shocked!0 -
If I'm not mistaken, this has nothing to do with cpanel, it was Comodo/Sectigo issued certificates. The same thing would happen if Verisign or Thawte or anyone else had failures in their OSCP revocation services. 0 -
According to the status page Sectigo there were no errors. So either they had no errors really or they do a bad job. This company should communicate the status of their services reliable. @cPanel: are there any news about this issue? 0 -
Well even Sectigo I think.
0
Please sign in to leave a comment.
Comments
36 comments