Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any problem with ocsp.comodoca.com ssl?

Discussion in 'Security' started by garconcn, Apr 3, 2018.

Tags:
  1. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    119
    Likes Received:
    6
    Trophy Points:
    68
    Found following error repeatedly on multiple servers tonight.

    [Tue Apr 03 21:21:01.410040 2018] [ssl:error] [pid 58447:tid 139759879960320] (111)Connection refused: [client 66.249.79.119:64552] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Tue Apr 03 21:21:01.410083 2018] [ssl:error] [pid 58447:tid 139759879960320] AH01941: stapling_renew_response: responder error​

    Ping ocsp.comodoca.com got duplicate packets:

    PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.89 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.54 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.62 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.62 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.74 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.83 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.83 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.83 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.83 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.95 ms (DUP!)
    ^C
    --- ocsp.comodoca.com ping statistics ---
    8 packets transmitted, 7 received, +14 duplicates, 12% packet loss, time 7008ms
    rtt min/avg/max/mdev = 4.540/4.794/5.099/0.180 ms​
     
    KazeDesu likes this.
  2. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    119
    Likes Received:
    6
    Trophy Points:
    68
    I found some https sites are slow at "performing a TLS handshake to domain.com", sometimes the site get times out.
     
  3. KazeDesu

    KazeDesu Registered

    Joined:
    Apr 4, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    CA, USA
    cPanel Access Level:
    Root Administrator
    I am having the same issue, I contacted Comodo, and their response:

     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    We are aware of the issue with Comodo as well and we're currently tracking it as part of an internal case CPANEL-19612. We'll update this thread with more information as soon as it becomes available

    You can work around this issue by temporarily disabling SSL Stapling in Apache. This will cause client browsers to perform the OCSP check instead of waiting on your server to perform the check. The quickest way to do this is to:

    1) Navigate to WHM -> Service Configuration -> Apache Configuration -> Include Editor.
    2) Under "Pre Virtualhost Includes" set the drop-down to "All Versions"
    3) In the text box, enter the following:

    SSLUseStapling off

    4) Click "Update" to save the changes, and then restart Apache.

    =====

    Alternatively, if you wish to do this via the command line, the following can be run:

    For EA4:
    == == == == == == == ==
    echo "SSLUseStapling off" >> /etc/apache2/conf.d/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
    == == == == == == == ==

    For EA3:
    == == == == == == == ==
    echo "SSLUseStapling off" >> /usr/local/apache/conf/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
    == == == == == == == ==

    Once this issue has been resolved, we recommend removing this workaround.

    Thank you,
     
    Infopro likes this.
  5. benwbandm

    benwbandm Member

    Joined:
    Jul 17, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    I've just given this a try and I can see my browser trying to perform the TLS handshake, the above doesn't seem to have solved anything. I'll keep an eye on this thread.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @benwbandm

    I'm sorry that it didn't work for you, looking at the internal case it appears that it was closed earlier due to the issues with Comodo having been resolved. If you're still experiencing issues with this and the workaround isn't working for you I would suggest opening a ticket using the link in my signature so we can look further into the issue for you.
     
  7. benwbandm

    benwbandm Member

    Joined:
    Jul 17, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hey @cPanelLauren - I've got a ticket open (9411947) - Just awaiting a reply, strangely I'm only having issues with SSL.
     
  8. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @benwbandm

    Thank you for updating with the ticket number! I've noted this forum post on the ticket as well. I also noticed that you mentioned you're using Let's Encrypt for your certificate so I don't believe this will be related to OCSP issues Comodo was experiencing.

    I'll check continue to check in on the ticket as well.

    Thank you,
     
  9. benwbandm

    benwbandm Member

    Joined:
    Jul 17, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hey @cPanelLauren - I've switched between both LE and Cpanel AutoSSL, never of which seem to work. I really cannot get my head around how the SSL side of stuff just suddenly crashes and burns. If you could nudge someone slightly it would be appreciated as this problem is now affecting another server! I'm aware there are other problems to address too :)
     
  10. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @benwbandm

    I see I'll keep watching it as well. I can see what I can do but our techs are busier than normal today, I am sorry for the delay.
     
  11. chufrog

    chufrog Member

    Joined:
    Apr 15, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    HK
    cPanel Access Level:
    Root Administrator
    We encounter exactly the same issue.
    Lots of our client not happy with it.
     
  12. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @chufrog

    I just checked in on the issue that @benwbandm was having. The issue actually spawned an internal case EA-7379 the resolution of which was pushed yesterday and has solved the issue for @benwbandm servers. This issue is related to a problem with mysql-1.so within the apr-util causing segfaults when loading pages over https.

    This issue did turn out to be different than the Comodo OCSP issues that were first presented in this thread but if you are experiencing this issue and the update which was pushed overnight did not resolve It I would strongly urge you to open a ticket with us using the link in my signature.


    Thank you,
     
  13. chufrog

    chufrog Member

    Joined:
    Apr 15, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    HK
    cPanel Access Level:
    Root Administrator
    Sorry for the misleading message.

    I encounter the same issue garconcn, i.e.

    PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms (DUP!)
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.89 ms (DUP!)

    And hence

    [Tue Apr 03 21:21:01.410040 2018] [ssl:error] [pid 58447:tid 139759879960320] (111)Connection refused: [client IP REMOVED:64552] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'

    And all the SSL website down

    and finally the whole down as Apache full of "r" status processes (all the "r" status process come from https request) and no more free slot for http connection.

    We find this section

    [% IF supported.stapling -%]
    SSLUseStapling on
    SSLStaplingCache shmcb:[% paths.dir_run %]/stapling_cache_shmcb(256000)

    # Prevent browsers from failing if an OCSP server is temporarily broken.
    SSLStaplingReturnResponderErrors off
    SSLStaplingErrorCacheTimeout 60
    SSLStaplingFakeTryLater off
    SSLStaplingResponderTimeout 3
    [% END -%]

    on /var/cpanel/templates/apache2_4/ea4_main.default

    But it didn't protect our server when we having a network issue with ocsp.comodoca.com
     
    #13 chufrog, Apr 6, 2018
    Last edited by a moderator: Apr 6, 2018
  14. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @chufrog

    If this is still occurring and the workaround did not work for you could you please open a ticket using the link in my signature?

    From what we're seeing the comodo issue appears to be resolved at this time and the internal case has been marked as complete.


    Thank you,
     
  15. chufrog

    chufrog Member

    Joined:
    Apr 15, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    HK
    cPanel Access Level:
    Root Administrator
    Thank you, we will set SSLUseStapling to off if we encounter such issue again.
     
  16. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @chufrog

    That should work! Please let us know if you have any further issues with this.


    Thank you,
     
  17. chufrog

    chufrog Member

    Joined:
    Apr 15, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    HK
    cPanel Access Level:
    Root Administrator
    Such error happen again right now.
    The workaround not work.
     
  18. bruzli

    bruzli Member

    Joined:
    Aug 11, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    same issue here, fixed with SSLUseStapling off
     
  19. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    428
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    It does appear that Comodo is again experiencing issues with this. @chufrog can you please open a ticket so that we can take a closer look? SSLUseStapling off should resolve the issue and I'm concerned that yours may be different.

    Thank you,
     
  20. chufrog

    chufrog Member

    Joined:
    Apr 15, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    HK
    cPanel Access Level:
    Root Administrator
    Thank you.
    We have a ticket on buycpanel.com, ticket id: 831732
     
Loading...

Share This Page