Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Apache stapling_renew_response: responder error

Discussion in 'Security' started by monkey64, Aug 11, 2014.

  1. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    94
    Likes Received:
    3
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    My Apache error log shows a lot of " stapling_renew_response: responder " errors
    error.jpg :

    It is an intermittent fault but when I restart Apache, the issue goes away temporarily.
    It looks like the issue occurs when Apache attempts to resolve the address of the OCSP responder.

    Code:
    [Mon Jun 30 16:00:52.666880 2014] [ssl:error] [pid 20449] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:54254] AH01972: could not resolve address of OCSP responder EVSSL-ocsp.geotrust.com
    [Mon Jun 30 16:00:52.666954 2014] [ssl:error] [pid 20449] AH01941: stapling_renew_response: responder error
    
    [Wed Jul 02 21:16:00.660224 2014] [ssl:error] [pid 13700] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:7467] AH01972: could not resolve address of OCSP responder rapidssl-ocsp.geotrust.com
    [Wed Jul 02 21:16:00.660284 2014] [ssl:error] [pid 13700] AH01941: stapling_renew_response: responder error
    
    [Mon Jul 07 13:00:48.082422 2014] [ssl:error] [pid 23502] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:62983] AH01972: could not resolve address of OCSP responder rapidssl-ocsp.geotrust.com
    [Mon Jul 07 13:00:48.082505 2014] [ssl:error] [pid 23502] AH01941: stapling_renew_response: responder error
    
    From my http.conf file:

    Code:
    SSLUseStapling on
    SSLStaplingCache shmcb:/usr/local/apache/logs/stapling_cache_shmcb(256000)
    SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data_shmcb(1024000)
    
    SSLSessionCacheTimeout  300
    Mutex                   file:/usr/local/apache/logs ssl-cache
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    
    I checked OCSP Stapling using this command:
    Code:
    echo QUIT | openssl s_client -connect www.mysite.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
    
    and received this response which shows it working:

    Code:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: CN = RapidSSL TGV OCSP Responder
        Produced At: Aug  8 22:59:14 2014 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 123456789XXXXXXXXXXXXXXXXXXXX
          Issuer Key Hash: 123456789XXXXXXXXXXXXXXXXXXXX
          Serial Number: ABCD123
        Cert Status: good
        This Update: Aug  8 22:59:14 2014 GMT
        Next Update: Aug 15 22:59:14 2014 GMT
    
    I checked for the cache files mentioned in httpd.conf (stapling_cache_shmcb and ssl_gcache_data_shmcb) but neither exist. Are they meant to exist?

    Any help would be great.
     
    #1 monkey64, Aug 11, 2014
    Last edited: Aug 11, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,396
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Does the issue persist if you reinstall the SSL certificate (with CABundle) for the domain name?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    94
    Likes Received:
    3
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    I have reinstalled the Cert and upgraded to Apache 2.4.10 because I noticed there are "major improvements to OCSP support". I will continue to monitor. Thanks.
     
  4. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    94
    Likes Received:
    3
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    I still have the same issue and I have reinstalled the SSl certificate with CA Bundle for the domain.
    One interesting thing I have noticed is that every time I get the SSL error, a background image on the home page fails to load.

    At the point of the error, other SSL domains seem to be working correctly. By that I mean that I can access a secure page correctly without the error. After I restart Apache, it works again! :mad:

    Any ideas?
     
    #4 monkey64, Aug 22, 2014
    Last edited: Aug 22, 2014
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,396
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice