Bad response from OCSP server

[TWD]

I was debugging a problem with some slow websites and came accross the following entries in the apache error log:

Thu May 30 20:18:35.847964 2019] [ssl:error] [pid 16892:tid 47787978688256] (70007)The timeout specified has expired: [client 40.77.167.125:2464] AH01977: failed reading line from OCSP server
[Thu May 30 20:18:35.848007 2019] [ssl:error] [pid 16892:tid 47787978688256] [client 40.77.167.125:2464] AH01980: bad response from OCSP server: (none)
[Thu May 30 20:18:35.848074 2019] [ssl:error] [pid 16892:tid 47787978688256] AH01941: stapling_renew_response: responder error

I've done some Googling and read a few forum threads but nothing seems to apply to my specific error.

It's this line in the logs which has me confused:

AH01980: bad response from OCSP server: (none) - shouldn't that be 'ocsp.comodoca.com' ?????

It seems that apache is failing to get the OCSP server info (none) from somewhere and can't connect?

 

[cPanelMichael]

Hello TWD,

The following links include overall OCSP information:

SOLVED - Sectigo OCSP Outage 05/01/2019
Tutorial - How to address OCSP responder errors

It looks like ticket 12449641 is open to request more information about seeing "none" in the Apache OCSP error output. I'll monitor this ticket and update this thread with the outcome once it's closed.

Thank you.

Update: It looks like the ticket was closed. Feel free reply to the ticket to re-open it if you have additional questions about the OCSP error output (e.g. the "none" entry). Thank you.

 

[LoadFactor]

I just had this problem with some GoDaddy OV certificates, with this kind of error in the logs:

[Sun Feb 16 22:35:45.315628 2020] [ssl:error] [pid 17010:tid 22540466992896] (70007)The timeout specified has expired: [client x.x.x.x:41888] AH01977: failed reading line from OCSP server
[Sun Feb 16 22:35:45.315689 2020] [ssl:error] [pid 17010:tid 22540466992896] [client x.x.x.x:41888] AH01980: bad response from OCSP server: (none)
[Sun Feb 16 22:35:45.315964 2020] [ssl:error] [pid 17010:tid 22540466992896] AH01941: stapling_renew_response: responder error

I have worked around the problem by setting SSLUseStapling off in Apache temporarily, but with "none" as the server, I can't even check if we have a firewall issue. Closed ticket or not I would really like to know what this means and how to diagnose/address it!

 

[LoadFactor]

Upon further reading of logs, it seems that the (none) isn't a server address, it's a description of the response error, which is no response.

So the question is really this: is there any command line way to attempt a OCSP Staple, preferably with a response that includes the address that's being queried so we can figure out if it's a network problem or a server problem? The best answer I have found is here, but it's not a one line solution

OCSP Validation with OpenSSL

OCSP Stapling is becoming pervelant across browsers for validating certificates. Here I show how to run this validation manually with OpenSSL.

akshayranganath.github.io