Could not connect to OCSP responder

cadaverzian

• October 10, 2017 02:01

We have a big trouble on all our cpanel servers : site's with https-connections fall down with next error: [Tue Oct 10 09:48:14.149790 2017] [ssl:error] [pid 1776] (101)Network is unreachable: [client 199.66.88.30:62799] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com' [Tue Oct 10 09:48:14.150198 2017] [ssl:error] [pid 1776] AH01941: stapling_renew_response: responder error when we try to ping it: ping ocsp.comodoca.com PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data. --- ocsp.comodoca.com ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1651ms But ocsp.comodoca.com is accessible from other (non-cpanel servers): ping ocsp.comodoca.com PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data. 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=1 ttl=52 time=117 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=52 time=117 ms 64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=52 time=117 ms There is no csf (or other) firewalls on server, iptables is flushed and stopped, but still: ping ocsp.comodoca.com PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data. --- ocsp.comodoca.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2412ms trace: root@server68 [~]# mtr ocsp.comodoca.com --report HOST: **** Loss% Snt Last Avg Best Wrst StDev 1. ******* 0.0% 10 0.8 1.1 0.8 2.4 0.5 2. 46.164.132.169 0.0% 10 0.7 0.5 0.3 1.0 0.2 3. tr1-v454.de-fra.example.ua 0.0% 10 26.7 26.8 26.7 27.7 0.3 4. ffm-b1-link.example.net 0.0% 10 26.8 27.2 26.8 29.0 0.7 5. ae6.cr1-fra6.ip4.example.com 0.0% 10 27.4 27.4 27.3 27.5 0.0 6. et-5-3-0.cr9-nyc3.ip4.example.com 0.0% 10 119.2 119.1 118.9 119.4 0.2 7. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0

• 

  cPanelMichael

  • October 10, 2017 17:53

  when we try to ping it: ping ocsp.comodoca.com PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data. --- ocsp.comodoca.com ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1651ms

  
  

  There is no csf (or other) firewalls on server, iptables is flushed and stopped, but still:

  
  Hello, Are you using the default cipher list for Apache in "WHM Home " Service Configuration " Apache Configuration " Global Configuration"? Does toggling the default option for the cipher list and saving the changes address the issue? Thank you.

  0
• 

  WorkinOnIt

  • December 06, 2017 20:09

  Hello I had the same issue - I then selected the default cipher as mentioned by @cPanelMichael which worked and now the error is gone. However, this seems to repeat from time to time - and each time I have to re-select the default cipher, so I am not sure why that option doesn't remain selected.

  0
• 

  cPanelMichael

  • December 06, 2017 20:12

  However, this seems to repeat from time to time - and each time I have to re-select the default cipher, so I am not sure why that option doesn't remain selected.

  
  Feel free to open a support ticket if you'd like us to take a closer look to see what could be happening. Thank you.

  0
• 

  WorkinOnIt

  • December 10, 2017 21:37

  Had the same issue again today (on multiple servers) and going to "WHM Home " Service Configuration " Apache Configuration " Global Configuration" and re-selecting default cipher (already selected) and then saving seems to have solved the issue - I will open a ticket if it comes back again.

  0
• 

  WorkinOnIt

  • December 16, 2017 20:48

  Hi @cPanelMichael I had the same issue again today - after having rebooted the cpanel server (after receiving the "Processes High - reboot the server to update the system" cpanel advisor message.) So I rebooted the server and again I get the SSL stapling errors in the Apache Error Log; [ssl:error] [pid 1776] (101) Network is unreachable: [client 123.123.123.123:62799] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com' [Dec 17 09:48:14.150198 2017] [ssl:error] [pid 1776] AH01941: stapling_renew_response: responder error After doing a bit of googling, I found this helpful article which explains how to verify if SSL stapling is working on Apache (Apache: Instructions for OCSP Stapling | DigiCert.com) As per the suggestion in the article, SSL Certificate Checker - Diagnostic Tool | DigiCert.com - on this page I was able to see the result of my server SSL stapling - which was "Not enabled" Then, I went to WHM Home " Service Configuration " Apache Configuration " Global Configuration - and reset the Cipher Suite to default again. I then re-checked the SSL stapling SSL Certificate Checker - Diagnostic Tool | DigiCert.com - this page now shows the SSL stapling is now "Enabled". So clearly, when rebooting my machine - the Cipher suite is not being read - or perhaps there is a cache error ? Something is preventing the default Cipher suite from rebuilding. This is happening on all of my VMs. Any suggestions? Thanks

  0
• 

  cPanelMichael

  • December 18, 2017 15:54

  So clearly, when rebooting my machine - the Cipher suite is not being read - or perhaps there is a cache error ? Something is preventing the default Cipher suite from rebuilding. This is happening on all of my VMs. Any suggestions?

  
  Hello, It sounds like an issue where the server's hostname changes during the reboot, but it's difficult to know for sure without access to an affected system. Could you open a support ticket using the link in my signature so we can take a closer look? Thank you.

  0
• 

  RobinF28

  • September 05, 2018 12:22

  Hi Michael & OP's, I have just had the exact same issue, & resolution, as the OPs above. I resolved it as above, pls see screen grabs (below) attached where is shows the change from "OCSP Staple: Not Enabled" -to- "Good" The problem happened when I rebooted the server (gracefully) to install a kernel update. The error logs were as follows, so I researched this (great!) forum and used this fix. (WHM is at latest Version.) - Robin.
  /usr/local/apache/logs/error_log: [Wed Sep 05 08:20:04.506505 2018] [ssl:error] [pid 3299] (101)Network is unreachable: [client 199.30.231.5:24339] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com' [Wed Sep 05 08:20:04.506549 2018] [ssl:error] [pid 3299] AH01941: stapling_renew_response: responder error [Wed Sep 05 08:50:40.288728 2018] [ssl:error] [pid 3297] (101)Network is unreachable: [client 66.249.64.144:54725] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com' [Wed Sep 05 08:50:40.288782 2018] [ssl:error] [pid 3297] AH01941: stapling_renew_response: responder error [Wed Sep 05 08:50:41.288681 2018] [ssl:error] [pid 11523] (101)Network is unreachable: [client 66.249.64.146:63097] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com' [Wed Sep 05 08:50:41.288718 2018] [ssl:error] [pid 11523] AH01941: stapling_renew_response: responder error ........ ........
  54281 54277

  0
• 

  WorkinOnIt

  • October 09, 2018 12:50

  Yes this issue has come up again for me. I can't seem to fix it with the above mentioned fix and I can't open a support ticket as when I access cPanel Customer Portal I get service unavailable 503

  0
• 

  Infopro

  • October 09, 2018 14:33

  I get service unavailable 503

  
  I just tried logging into the ticket system and noted no issues. Could you try again right now and post back here if you get in or not please?

  0

Please sign in to leave a comment.