Skip to main content

Sectigo OCSP Outage 05/01/2019

Comments

36 comments

  • dooh
    Hey, We did open a ticket to cPanel related to this issue. We have more than 20 servers that are crashed right now.
    0
  • cPanelMichael
    Hello @matt1206, We're currently investigating this in a couple of support tickets. The reported error generally stems from a certificate authority outage, though Sectigo shows no OCSP problems at the moment:
    0
  • matt1206
    Thanks @cPanelMichael - I suspected as much, but couldn't see anything myself on their status page either.
    0
  • dalem
    Note: since Sectigo/Comodo started with the singed cpanel certs this has been a normal occurrence from time to time outages are location specific (its a pain) changing the main DNS resolver out to a different location will usually fix.
    0
  • brianc
    This is impacting my servers as well.
    0
  • codepoet
    @cPanelMichael Hello, I am having the same issue here also. Have been using the dns Resolver from cloudflare, then switched back to google, and still having intermittent issues with the OCSP. Disabled stapling for now. Should I open a ticket also (you have enough of them ?) or just follow here for updates? Thank you
    0
  • codepoet
    Well even
    0
  • KJBgvs78gv
    got same issue, created a ticked, and disabled stapling. Switching from google to cloudflare resolvers doesn't helps.
    0
  • tandyuk
    Same here, I dont ever remember turning OCSP stapling on though.... I read about a timeout directive to fall back to non-ocsp, but cant find any documentation on putting this in cpanel.
    0
  • tsiedsma
    I am seeing this issue as well
    0
  • tsiedsma
    If you use Ansible, this one-liner will work Disable SSL Stapling: ansible cpanel_servers -m lineinfile -a "path=/etc/apache2/conf.d/includes/pre_virtualhost_global.conf regexp='SSLUseStapling' line='SSLUseStapling off' state=present" Then restart Apache: ansible cpanel_servers -a "/scripts/restartsrv_httpd" To undo: ansible cpanel_servers -m lineinfile -a "path=/etc/apache2/conf.d/includes/pre_virtualhost_global.conf regexp='SSLUseStapling' state=absent" And restart again: ansible cpanel_servers -a "/scripts/restartsrv_httpd"
    0
  • cPanelMichael
    Hello Everyone, Thanks for the reports. We've reached out to Sectigo and are awaiting more information at this time. I'll update this thread with more information as soon as it's available. In the meantime, the temporary workaround instructions from our
    0
  • Benjamin D.
    [Note: This was moved from its own thread to here] Hi! What's happening today? At noon, all the websites on my server began timing out. I received a HTTPd service down notification and the server logs are filled with: [Wed May 01 12:34:30.880922 2019] [ssl:error] [pid 11717] (70007)The timeout specified has expired: [client x.x.x.x:3638] AH01985: error reading response from OCSP server [Wed May 01 12:34:30.880976 2019] [ssl:error] [pid 11717] AH01941: stapling_renew_response: responder error PLEASE HELP! EDIT: DE-STAPLING TEMP FIX MENTIOEND ABOVE WORKED FINE. THX
    0
  • Judah
    Glad I am not the only one, I am seeing the same thing on my end. Hundreds of sites offline and the HTTPd service keeps crashing. I am making a quick server snapshot and am going to try restarting (there were updates in queue, was waiting for weekend) and maybe rebuilding apache. Will report back with results. -- Edit -- Restarting did not fix, but the tip above about disabling the OCSP stapling did the trick for now. Will definitely undo that temporary fix once things are back to normal.
    0
  • kacsa
    I think OCSP response problem exists only on server that have IPv6 address. I don't have OCSP problem servers without IPV6.
    0
  • jestep
    We have IPV6 disabled and it's crippled several of our servers. Glad there's at least a temporary work around.
    0
  • kamrannorway
    The same issue here. Ticket number is 12156975. Hope you fix it as soon as possible.
    0
  • LoganGraham
    I was able to resolve this by using the following steps: - Install LetsEncrypt AutoSSL provider - found here: cPanel's Official Let's Encrypt Plugin | cPanel Blog - Deleting all SSL certs for affected domains - Restarting Apache - Running AutoSSL for the affected domains Hope this helps someone get back up and running as quick as possible.
    0
  • orizonmedia
    same problem here error reading response from OCSP server
    0
  • charles1888
    Hello!! I was able to fix the issue, following:
    Hello Everyone, Thanks for the reports. We've reached out to Sectigo and are awaiting more information at this time. I'll update this thread with more information as soon as it's available. In the meantime, the temporary workaround instructions from our
    0
  • Benjamin D.
    @LoganGraham That's really, really annoying when you have HUNDREDS of domains! Instead go to: WHM >> Service Configuration >> Apache Configuration >> Include Editor >> Pre VirtualHost Include >> All Versions and add the following line then hit "UPDATE" and it completely and immediately fixes the issue: SSLUseStapling off
    0
  • craigedmonds
    Following. Two out of my 12 servers had this issue today!
    0
  • brianc
    I want to know what cPanel is going to do about ensuring that this never happens again. It's ridiculous that I watched 5 servers go down because of this outage. Since Google is forcing everyone to get SSL certificates, issues like this need to be address because we have one serious bottleneck here.
    0
  • cPanelMichael
    Hello Everyone, It looks like Sectigo's OCSP responder servers are operating normally again. Let us know if the issue persists after reverting the temporary workaround. Thank you.
    0
  • tandyuk
    What plans do you have to prevent a repeat performance the next time their servers stop responding? Can you confirm if OSCP Stapling is enabled by default on new cpanel installs?
    0
  • LucasRolff
    I was able to resolve this by using the following steps: - Install LetsEncrypt AutoSSL provider - found here:
    0
  • sparek-3
    I want to know what cPanel is going to do about ensuring that this never happens again. It's ridiculous that I watched 5 servers go down because of this outage. Since Google is forcing everyone to get SSL certificates, issues like this need to be address because we have one serious bottleneck here.

    You mean the industry is pushing out something that they didn't fully think all the way through? Color me shocked!
    0
  • jestep
    If I'm not mistaken, this has nothing to do with cpanel, it was Comodo/Sectigo issued certificates. The same thing would happen if Verisign or Thawte or anyone else had failures in their OSCP revocation services.
    0
  • roliboli
    According to the status page Sectigo there were no errors. So either they had no errors really or they do a bad job. This company should communicate the status of their services reliable. @cPanel: are there any news about this issue?
    0
  • roliboli
    Well even Sectigo I think.
    0

Please sign in to leave a comment.