Sectigo OCSP Outage 05/01/2019

matt1206

• May 01, 2019 10:47

Is anyone else seeing issues with OCSP from Comodo currently? Getting these errors on all my cPanel servers since around 14:50 UTC today. [Wed May 01 15:45:05.022337 2019] [ssl:error] [pid 32448:tid 47455874840320] AH01941: stapling_renew_response: responder error [Wed May 01 15:45:09.434592 2019] [ssl:error] [pid 32448:tid 47455879042816] (70007)The timeout specified has expired: [client 35.198.217.171:42784] AH01985: error reading response from OCSP server [Wed May 01 15:45:09.434782 2019] [ssl:error] [pid 32448:tid 47455879042816] AH01941: stapling_renew_response: responder error [Wed May 01 15:45:30.627343 2019] [ssl:error] [pid 32443:tid 47455885346560] (70007)The timeout specified has expired: [client 148.252.194.74:56787] AH01985: error reading response from OCSP server [Wed May 01 15:45:30.627687 2019] [ssl:error] [pid 32443:tid 47455885346560] AH01941: stapling_renew_response: responder error [Wed May 01 15:45:33.644663 2019] [ssl:error] [pid 32446:tid 47455870637824] (70007)The timeout specified has expired: [client 148.252.194.74:56791] AH01985: error reading response from OCSP server [Wed May 01 15:45:33.644918 2019] [ssl:error] [pid 32446:tid 47455870637824] AH01941: stapling_renew_response: responder error [Wed May 01 15:46:03.866604 2019] [ssl:error] [pid 32444:tid 47455885346560] (70007)The timeout specified has expired: [client 178.82.175.11:46529] AH01985: error reading response from OCSP server [Wed May 01 15:46:03.866755 2019] [ssl:error] [pid 32444:tid 47455885346560] AH01941: stapling_renew_response: responder error [Wed May 01 15:46:07.583846 2019] [ssl:error] [pid 32443:tid 47455889549056] (70007)The timeout specified has expired: [client 178.82.175.11:46728] AH01985: error reading response from OCSP server [Wed May 01 15:46:07.583985 2019] [ssl:error] [pid 32443:tid 47455889549056] AH01941: stapling_renew_response: responder error [Wed May 01 15:46:12.885442 2019] [ssl:error] [pid 32446:tid 47455883245312] (70007)The timeout specified has expired: [client 178.82.175.11:46917] AH01985: error reading response from OCSP server [Wed May 01 15:46:12.885587 2019] [ssl:error] [pid 32446:tid 47455883245312] AH01941: stapling_renew_response: responder error
I've had to disable OCSP on one of the servers as it was locking up apache after ~ 10 minutes post restart. echo "SSLUseStapling off" >> /etc/apache2/conf.d/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd

• 

  cPanelMichael

  • May 02, 2019 17:59

  Hello Everyone, Allow me to first offer some background information for anyone learning about Online Certificate Status Protocol (OCSP) for the first time. OCSP When you use a web browser to connect to a web server over a secure connection (

  0
• 

  dooh

  • May 03, 2019 09:17

  While a CA's OCSP Responder servers are outside of our control, we definitely understand the importance of a website's uptime. We will evaluate this incident and others like it to determine if (and what) changes to cPanel & WHM are necessary to help ensure websites remain accessible when a CA's OCSP Responders are down or performing poorly.

  
  @

  0
• 

  cPanelMichael

  • May 06, 2019 16:42

  . grow the default limit to some larger number(as you said, 12 should be enough) that should fix issues like this

  
  The concern here is that increasing the default value would have a negative impact on the website load time performance.

  . add options for SSLUseStapling and SSLStaplingResponderTimeout to WHM's Apache Configuration/Global Configuration

  
  I recommend opening a

  0
• 

  masamia

  • November 25, 2019 04:50

  Hello Everyone, I have a server in a European data center, which I use as shared hosting. It has cpanel version v84.0.14 installed. AutoSSL provider cPanel (powered by Sectigo) is used for all users. When opening https pages on the sites of my clients, sometimes there is a starting delay of about 3 seconds with the message being displayed in the browser status bar - "TLS handshaking". I began to study the Apache error log and saw that it was filled with a huge number of such messages: [Mon Nov 25 09:54:07.361518 2019] [ssl:error] [pid 5035] (70007)The timeout specified has expired: [client 84.240.234.36:32844] AH01985: error reading response from OCSP server [Mon Nov 25 09:54:07.361633 2019] [ssl:error] [pid 5035] AH01941: stapling_renew_response: responder error [Mon Nov 25 09:55:24.610770 2019] [ssl:error] [pid 10662] (70007)The timeout specified has expired: [client 18.195.242.194:50094] AH01985: error reading response from OCSP server [Mon Nov 25 09:55:24.610960 2019] [ssl:error] [pid 10662] AH01941: stapling_renew_response: responder error [Mon Nov 25 09:57:06.670421 2019] [ssl:error] [pid 13802] (70007)The timeout specified has expired: [client 66.249.64.143:47390] AH01985: error reading response from OCSP server [Mon Nov 25 09:57:06.670585 2019] [ssl:error] [pid 13802] AH01941: stapling_renew_response: responder error [Mon Nov 25 10:02:27.978863 2019] [ssl:error] [pid 10662] (70007)The timeout specified has expired: [client 66.249.64.170:55313] AH01985: error reading response from OCSP server [Mon Nov 25 10:02:27.978979 2019] [ssl:error] [pid 10662] AH01941: stapling_renew_response: responder error [Mon Nov 25 10:08:29.145910 2019] [ssl:error] [pid 13803] (70007)The timeout specified has expired: [client 157.55.39.195:5841] AH01985: error reading response from OCSP server [Mon Nov 25 10:08:29.146038 2019] [ssl:error] [pid 13803] AH01941: stapling_renew_response: responder error [Mon Nov 25 10:12:02.040559 2019] [ssl:error] [pid 15838] (70007)The timeout specified has expired: [client 35.162.141.144:28175] AH01985: error reading response from OCSP server [Mon Nov 25 10:12:02.040730 2019] [ssl:error] [pid 15838] AH01941: stapling_renew_response: responder error
  Tell me how to diagnose this problem? At least what address should I ping to check if there is a connection with it?

  0
• 

  cetiner

  • December 18, 2019 13:42

  Hello hello, I wanna inform about the same subject. In 2 directories I have no index files inside, yes. And it looks like that the Client IP 80.82.68.113 try to access the domain and fails, than the SSL error comes.... But just sometimes on a day and just from some Client-IPs - all the other Clients doesn't ot generate this errors. In another domain directory I use an IP deny entry in htaccess. [Wed Dec 18 13:59:55.070653 2019] [autoindex:error] [pid 11994] [client 80.82.68.113:40400] AH01276: Cannot serve directory /home/domainname-as-subdomain/public_html/: No matching DirectoryIndex (index.php blabla) found, and server-generated directory index forbidden by Options directive [Wed Dec 18 14:00:47.395039 2019] [ssl:error] [pid 16459] (70007)The timeout specified has expired: [client 80.82.68.113:57264] AH01985: error reading response from OCSP server [Wed Dec 18 14:00:47.395177 2019] [ssl:error] [pid 16459] AH01941: stapling_renew_response: responder error [Wed Dec 18 14:00:47.723763 2019] [autoindex:error] [pid 9243] [client 80.82.68.113:52122] AH01276: Cannot serve directory /home/domainname/public_html/: No matching DirectoryIndex (index.php,blabla) found, and server-generated directory index forbidden by Options directive [Wed Dec 18 14:02:11.490135 2019] [access_compat:error] [pid 11832] [client 80.82.68.113:50692] AH01797: client denied by server configuration: /home/otherdomainname/public_html/

  0
• 

  Hedloff

  • June 08, 2020 11:38

  Do people still use sslstapling? We have had this turned off for over 1 year now and has not had any issues. Did test a server today and turned it on and Apache error_log is filling with these: [Mon Jun 08 13:36:44.972881 2020] [ssl:error] [pid 171417:tid 47028356790016] (70007)The timeout specified has expired: [client 92.220.xx.xxx:50388] AH01985: error reading response from OCSP server [Mon Jun 08 13:36:44.973029 2020] [ssl:error] [pid 171417:tid 47028356790016] AH01941: stapling_renew_response: responder error
  We use 1.1.1.1 and 1.0.0.1 as resolvers.

  0

Please sign in to leave a comment.