The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache stapling_renew_response: responder error

Discussion in 'Security' started by monkey64, Aug 11, 2014.

  1. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    My Apache error log shows a lot of " stapling_renew_response: responder " errors
    error.jpg :

    It is an intermittent fault but when I restart Apache, the issue goes away temporarily.
    It looks like the issue occurs when Apache attempts to resolve the address of the OCSP responder.

    Code:
    [Mon Jun 30 16:00:52.666880 2014] [ssl:error] [pid 20449] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:54254] AH01972: could not resolve address of OCSP responder EVSSL-ocsp.geotrust.com
    [Mon Jun 30 16:00:52.666954 2014] [ssl:error] [pid 20449] AH01941: stapling_renew_response: responder error
    
    [Wed Jul 02 21:16:00.660224 2014] [ssl:error] [pid 13700] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:7467] AH01972: could not resolve address of OCSP responder rapidssl-ocsp.geotrust.com
    [Wed Jul 02 21:16:00.660284 2014] [ssl:error] [pid 13700] AH01941: stapling_renew_response: responder error
    
    [Mon Jul 07 13:00:48.082422 2014] [ssl:error] [pid 23502] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:62983] AH01972: could not resolve address of OCSP responder rapidssl-ocsp.geotrust.com
    [Mon Jul 07 13:00:48.082505 2014] [ssl:error] [pid 23502] AH01941: stapling_renew_response: responder error
    
    From my http.conf file:

    Code:
    SSLUseStapling on
    SSLStaplingCache shmcb:/usr/local/apache/logs/stapling_cache_shmcb(256000)
    SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data_shmcb(1024000)
    
    SSLSessionCacheTimeout  300
    Mutex                   file:/usr/local/apache/logs ssl-cache
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    
    I checked OCSP Stapling using this command:
    Code:
    echo QUIT | openssl s_client -connect www.mysite.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
    
    and received this response which shows it working:

    Code:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: CN = RapidSSL TGV OCSP Responder
        Produced At: Aug  8 22:59:14 2014 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 123456789XXXXXXXXXXXXXXXXXXXX
          Issuer Key Hash: 123456789XXXXXXXXXXXXXXXXXXXX
          Serial Number: ABCD123
        Cert Status: good
        This Update: Aug  8 22:59:14 2014 GMT
        Next Update: Aug 15 22:59:14 2014 GMT
    
    I checked for the cache files mentioned in httpd.conf (stapling_cache_shmcb and ssl_gcache_data_shmcb) but neither exist. Are they meant to exist?

    Any help would be great.
     
    #1 monkey64, Aug 11, 2014
    Last edited: Aug 11, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    669
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I have reinstalled the Cert and upgraded to Apache 2.4.10 because I noticed there are "major improvements to OCSP support". I will continue to monitor. Thanks.
     
  4. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I still have the same issue and I have reinstalled the SSl certificate with CA Bundle for the domain.
    One interesting thing I have noticed is that every time I get the SSL error, a background image on the home page fails to load.

    At the point of the error, other SSL domains seem to be working correctly. By that I mean that I can access a secure page correctly without the error. After I restart Apache, it works again! :mad:

    Any ideas?
     
    #4 monkey64, Aug 22, 2014
    Last edited: Aug 22, 2014
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    669
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page