Bad response from OCSP server

TWD

• May 30, 2019 14:39

I was debugging a problem with some slow websites and came accross the following entries in the apache error log: Thu May 30 20:18:35.847964 2019] [ssl:error] [pid 16892:tid 47787978688256] (70007)The timeout specified has expired: [client 40.77.167.125:2464] AH01977: failed reading line from OCSP server [Thu May 30 20:18:35.848007 2019] [ssl:error] [pid 16892:tid 47787978688256] [client 40.77.167.125:2464] AH01980: bad response from OCSP server: (none) [Thu May 30 20:18:35.848074 2019] [ssl:error] [pid 16892:tid 47787978688256] AH01941: stapling_renew_response: responder error I've done some Googling and read a few forum threads but nothing seems to apply to my specific error. It's this line in the logs which has me confused: AH01980: bad response from OCSP server: (none) - shouldn't that be 'ocsp.comodoca.com' ????? It seems that apache is failing to get the OCSP server info (none) from somewhere and can't connect?

• 

  cPanelMichael

  • May 31, 2019 20:47

  Hello TWD, The following links include overall OCSP information: It looks like ticket 12449641 is open to request more information about seeing "none" in the Apache OCSP error output. I'll monitor this ticket and update this thread with the outcome once it's closed. Thank you. Update: It looks like the ticket was closed. Feel free reply to the ticket to re-open it if you have additional questions about the OCSP error output (e.g. the "none" entry). Thank you.

  0
• 

  LoadFactor

  • February 17, 2020 02:51

  I just had this problem with some GoDaddy OV certificates, with this kind of error in the logs: [Sun Feb 16 22:35:45.315628 2020] [ssl:error] [pid 17010:tid 22540466992896] (70007)The timeout specified has expired: [client x.x.x.x:41888] AH01977: failed reading line from OCSP server [Sun Feb 16 22:35:45.315689 2020] [ssl:error] [pid 17010:tid 22540466992896] [client x.x.x.x:41888] AH01980: bad response from OCSP server: (none) [Sun Feb 16 22:35:45.315964 2020] [ssl:error] [pid 17010:tid 22540466992896] AH01941: stapling_renew_response: responder error I have worked around the problem by setting SSLUseStapling off in Apache temporarily, but with "none" as the server, I can't even check if we have a firewall issue. Closed ticket or not I would really like to know what this means and how to diagnose/address it!

  0
• 

  LoadFactor

  • February 17, 2020 03:22

  Upon further reading of logs, it seems that the (none) isn't a server address, it's a description of the response error, which is no response. So the question is really this: is there any command line way to attempt a OCSP Staple, preferably with a response that includes the address that's being queried so we can figure out if it's a network problem or a server problem? The best answer I have found is here, but it's not a one line solution

  0

Please sign in to leave a comment.