Any problem with ocsp.comodoca.com ssl?

garconcn

Well-Known Member
Oct 29, 2009
164
15
68
Found following error repeatedly on multiple servers tonight.

[Tue Apr 03 21:21:01.410040 2018] [ssl:error] [pid 58447:tid 139759879960320] (111)Connection refused: [client 66.249.79.119:64552] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
[Tue Apr 03 21:21:01.410083 2018] [ssl:error] [pid 58447:tid 139759879960320] AH01941: stapling_renew_response: responder error​

Ping ocsp.comodoca.com got duplicate packets:

PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.89 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=58 time=5.09 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.54 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.62 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=4 ttl=58 time=4.62 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=5 ttl=58 time=4.54 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=6 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.74 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=7 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.83 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.83 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=8 ttl=58 time=4.95 ms (DUP!)
^C
--- ocsp.comodoca.com ping statistics ---
8 packets transmitted, 7 received, +14 duplicates, 12% packet loss, time 7008ms
rtt min/avg/max/mdev = 4.540/4.794/5.099/0.180 ms​
 
  • Like
Reactions: KazeDesu

garconcn

Well-Known Member
Oct 29, 2009
164
15
68
I found some https sites are slow at "performing a TLS handshake to domain.com", sometimes the site get times out.
 

KazeDesu

Registered
Apr 4, 2018
1
0
0
CA, USA
cPanel Access Level
Root Administrator
I am having the same issue, I contacted Comodo, and their response:

Sorry for the inconvenience!

We are experiencing an issue with OCSP responder, please do allow some time to get it's resolved. The issue has been escalated already and our team is working on this.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello,


We are aware of the issue with Comodo as well and we're currently tracking it as part of an internal case CPANEL-19612. We'll update this thread with more information as soon as it becomes available

You can work around this issue by temporarily disabling SSL Stapling in Apache. This will cause client browsers to perform the OCSP check instead of waiting on your server to perform the check. The quickest way to do this is to:

1) Navigate to WHM -> Service Configuration -> Apache Configuration -> Include Editor.
2) Under "Pre Virtualhost Includes" set the drop-down to "All Versions"
3) In the text box, enter the following:

SSLUseStapling off

4) Click "Update" to save the changes, and then restart Apache.

=====

Alternatively, if you wish to do this via the command line, the following can be run:

For EA4:
== == == == == == == ==
echo "SSLUseStapling off" >> /etc/apache2/conf.d/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
== == == == == == == ==

For EA3:
== == == == == == == ==
echo "SSLUseStapling off" >> /usr/local/apache/conf/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
== == == == == == == ==

Once this issue has been resolved, we recommend removing this workaround.

Thank you,
 
  • Like
Reactions: Infopro

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello @benwbandm

I'm sorry that it didn't work for you, looking at the internal case it appears that it was closed earlier due to the issues with Comodo having been resolved. If you're still experiencing issues with this and the workaround isn't working for you I would suggest opening a ticket using the link in my signature so we can look further into the issue for you.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @benwbandm

Thank you for updating with the ticket number! I've noted this forum post on the ticket as well. I also noticed that you mentioned you're using Let's Encrypt for your certificate so I don't believe this will be related to OCSP issues Comodo was experiencing.

I'll check continue to check in on the ticket as well.

Thank you,
 

benwbandm

Member
Jul 17, 2017
5
0
1
United Kingdom
cPanel Access Level
Root Administrator
Hey @cPanelLauren - I've switched between both LE and Cpanel AutoSSL, never of which seem to work. I really cannot get my head around how the SSL side of stuff just suddenly crashes and burns. If you could nudge someone slightly it would be appreciated as this problem is now affecting another server! I'm aware there are other problems to address too :)
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @chufrog

I just checked in on the issue that @benwbandm was having. The issue actually spawned an internal case EA-7379 the resolution of which was pushed yesterday and has solved the issue for @benwbandm servers. This issue is related to a problem with mysql-1.so within the apr-util causing segfaults when loading pages over https.

This issue did turn out to be different than the Comodo OCSP issues that were first presented in this thread but if you are experiencing this issue and the update which was pushed overnight did not resolve It I would strongly urge you to open a ticket with us using the link in my signature.


Thank you,
 

chufrog

Member
Apr 15, 2015
8
0
1
HK
cPanel Access Level
Root Administrator
Sorry for the misleading message.

I encounter the same issue garconcn, i.e.

PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.77 ms (DUP!)
64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=58 time=4.89 ms (DUP!)

And hence

[Tue Apr 03 21:21:01.410040 2018] [ssl:error] [pid 58447:tid 139759879960320] (111)Connection refused: [client IP REMOVED:64552] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'

And all the SSL website down

and finally the whole down as Apache full of "r" status processes (all the "r" status process come from https request) and no more free slot for http connection.

We find this section

[% IF supported.stapling -%]
SSLUseStapling on
SSLStaplingCache shmcb:[% paths.dir_run %]/stapling_cache_shmcb(256000)

# Prevent browsers from failing if an OCSP server is temporarily broken.
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
SSLStaplingFakeTryLater off
SSLStaplingResponderTimeout 3
[% END -%]

on /var/cpanel/templates/apache2_4/ea4_main.default

But it didn't protect our server when we having a network issue with ocsp.comodoca.com
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @chufrog

If this is still occurring and the workaround did not work for you could you please open a ticket using the link in my signature?

From what we're seeing the comodo issue appears to be resolved at this time and the internal case has been marked as complete.


Thank you,
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello,


It does appear that Comodo is again experiencing issues with this. @chufrog can you please open a ticket so that we can take a closer look? SSLUseStapling off should resolve the issue and I'm concerned that yours may be different.

Thank you,