Any problem with ocsp.comodoca.com ssl?

[garconcn]

Found following error repeatedly on multiple servers tonight.

[Tue Apr 03 21:21:01.410040 2018] [ssl:error] [pid 58447:tid 139759879960320] (111)Connection refused: [client 66.249.79.119:64552] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
[Tue Apr 03 21:21:01.410083 2018] [ssl:error] [pid 58447:tid 139759879960320] AH01941: stapling_renew_response: responder error​

Ping ocsp.comodoca.com got duplicate packets:

PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.89 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.54 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.62 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.62 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.74 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.83 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.95 ms (DUP!)
^C
--- ocsp.comodoca.com ping statistics ---
8 packets transmitted, 7 received, +14 duplicates, 12% packet loss, time 7008ms
rtt min/avg/max/mdev = 4.540/4.794/5.099/0.180 ms​

 

[garconcn]

I found some https sites are slow at "performing a TLS handshake to domain.com", sometimes the site get times out.

 

[KazeDesu]

I am having the same issue, I contacted Comodo, and their response:

Sorry for the inconvenience!

We are experiencing an issue with OCSP responder, please do allow some time to get it's resolved. The issue has been escalated already and our team is working on this.

 

[cPanelLauren]

Hello,


We are aware of the issue with Comodo as well and we're currently tracking it as part of an internal case CPANEL-19612. We'll update this thread with more information as soon as it becomes available

You can work around this issue by temporarily disabling SSL Stapling in Apache. This will cause client browsers to perform the OCSP check instead of waiting on your server to perform the check. The quickest way to do this is to:

1) Navigate to WHM -> Service Configuration -> Apache Configuration -> Include Editor.
2) Under "Pre Virtualhost Includes" set the drop-down to "All Versions"
3) In the text box, enter the following:

SSLUseStapling off

4) Click "Update" to save the changes, and then restart Apache.

=====

Alternatively, if you wish to do this via the command line, the following can be run:

For EA4:
== == == == == == == ==
echo "SSLUseStapling off" >> /etc/apache2/conf.d/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
== == == == == == == ==

For EA3:
== == == == == == == ==
echo "SSLUseStapling off" >> /usr/local/apache/conf/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
== == == == == == == ==

Once this issue has been resolved, we recommend removing this workaround.

Thank you,

 

[benwbandm]

I've just given this a try and I can see my browser trying to perform the TLS handshake, the above doesn't seem to have solved anything. I'll keep an eye on this thread.

 

[cPanelLauren]

Hello @benwbandm

I'm sorry that it didn't work for you, looking at the internal case it appears that it was closed earlier due to the issues with Comodo having been resolved. If you're still experiencing issues with this and the workaround isn't working for you I would suggest opening a ticket using the link in my signature so we can look further into the issue for you.

 

[benwbandm]

Hey @cPanelLauren - I've got a ticket open (9411947) - Just awaiting a reply, strangely I'm only having issues with SSL.

 

[cPanelLauren]

Hi @benwbandm

Thank you for updating with the ticket number! I've noted this forum post on the ticket as well. I also noticed that you mentioned you're using Let's Encrypt for your certificate so I don't believe this will be related to OCSP issues Comodo was experiencing.

I'll check continue to check in on the ticket as well.

Thank you,

 

[benwbandm]

Hey @cPanelLauren - I've switched between both LE and Cpanel AutoSSL, never of which seem to work. I really cannot get my head around how the SSL side of stuff just suddenly crashes and burns. If you could nudge someone slightly it would be appreciated as this problem is now affecting another server! I'm aware there are other problems to address too

 

[cPanelLauren]

Hi @benwbandm

I see I'll keep watching it as well. I can see what I can do but our techs are busier than normal today, I am sorry for the delay.

 

[chufrog]

We encounter exactly the same issue.
Lots of our client not happy with it.

 

[cPanelLauren]

Hi @chufrog

I just checked in on the issue that @benwbandm was having. The issue actually spawned an internal case EA-7379 the resolution of which was pushed yesterday and has solved the issue for @benwbandm servers. This issue is related to a problem with mysql-1.so within the apr-util causing segfaults when loading pages over https.

This issue did turn out to be different than the Comodo OCSP issues that were first presented in this thread but if you are experiencing this issue and the update which was pushed overnight did not resolve It I would strongly urge you to open a ticket with us using the link in my signature.


Thank you,

 

[chufrog]

Sorry for the misleading message.

I encounter the same issue garconcn, i.e.

PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.89 ms (DUP!)

And hence

[Tue Apr 03 21:21:01.410040 2018] [ssl:error] [pid 58447:tid 139759879960320] (111)Connection refused: [client IP REMOVED:64552] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'

And all the SSL website down

and finally the whole down as Apache full of "r" status processes (all the "r" status process come from https request) and no more free slot for http connection.

We find this section

[% IF supported.stapling -%]
SSLUseStapling on
SSLStaplingCache shmcb:[% paths.dir_run %]/stapling_cache_shmcb(256000)

# Prevent browsers from failing if an OCSP server is temporarily broken.
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
SSLStaplingFakeTryLater off
SSLStaplingResponderTimeout 3
[% END -%]

on /var/cpanel/templates/apache2_4/ea4_main.default

But it didn't protect our server when we having a network issue with ocsp.comodoca.com

 

[cPanelLauren]

Hi @chufrog

If this is still occurring and the workaround did not work for you could you please open a ticket using the link in my signature?

From what we're seeing the comodo issue appears to be resolved at this time and the internal case has been marked as complete.


Thank you,

 

[chufrog]

Thank you, we will set SSLUseStapling to off if we encounter such issue again.

 

[cPanelLauren]

Hi @chufrog

That should work! Please let us know if you have any further issues with this.


Thank you,

 

[chufrog]

Such error happen again right now.
The workaround not work.

 

[bruzli]

same issue here, fixed with SSLUseStapling off

 

[cPanelLauren]

Hello,


It does appear that Comodo is again experiencing issues with this. @chufrog can you please open a ticket so that we can take a closer look? SSLUseStapling off should resolve the issue and I'm concerned that yours may be different.

Thank you,

 

[chufrog]

Hello,


It does appear that Comodo is again experiencing issues with this. @chufrog can you please open a ticket so that we can take a closer look? SSLUseStapling off should resolve the issue and I'm concerned that yours may be different.

Thank you,

Thank you.
We have a ticket on buycpanel.com, ticket id: 831732