The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Comodo OCSP Outage

Discussion in 'General Discussion' started by ruiz, Jun 24, 2017.

Tags:
  1. ruiz

    ruiz Active Member

    Joined:
    Feb 13, 2008
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    58
    Hi there,

    Last thursday we had a couple hours downtime during work hours on a huge dedicated server with over 800 accounts. Needless to say, it was bad, but the worst thing is that all services came up again and we still dont know why! Here's what happened:

    Right before noon Apache and Exim stop responding correctly, with browsers and e-mail clients receiving a "time-out" response. WHM and SSH where still working (responding) perfectly, and the server load was low.

    At that moment i tried restarting apache and exim, and when it didn't work i tried stopping the firewall, because it seems like a network issue... But no change.

    Finally i gave up and restarted the whole server... Still no change.

    After that i logged into another server in the same hosting company (this one was working with no hiccups) and tried to reach a website on the problematic server from the command line using "wget"... It worked instantly on any page.

    From that moment i assumed it was some kind of filter or bug on the hosting company network so i contacted then. Unfortunatly they said there was no problem with their network so it should be something with my server.

    After a couple hours the server started responding normally again without any change from me, or from my hosting company (allegedly). I checked all my logs and it all points out that those services were working with no problems, but network traffic to those ports stopped during the downtime. There's no problem with the server.

    The question is... Is it possible that something malfunctioned on my hosting company and that caused the downtime? Any idea of what it might be? Or should i keep looking for something on my server?

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Did you notice anything unusual in /var/log/messages or /var/log/dmesg during the downtime? It seems like a network issue based on the information you provided. You may want to follow-up with your provider and let them know you reviewed the logs and don't see anything that suggests a server-level issue.

    Thank you.
     
  3. ruiz

    ruiz Active Member

    Joined:
    Feb 13, 2008
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    58
    Thanks cPanelMichael!

    The same problem happened yesterday for a few minutes, and i think i found the source. It wasn't the network, but our SSL certificate issued by Comodo (probably).

    Some websites without ssl were working correctly, so I used this service to analise out SSL certificate:
    SSL Server Test (Powered by Qualys SSL Labs)

    Here is the result:
    ibb.co/j8T8Pv

    My main concern was the line that says:
    OCSP ERROR: Exception: connect timed out [http://ocsp.comodoca.com]

    Since the OCSP responder was offline, is it normal that all ssl websites on my server stop responding? Is there a workaround? Since autoSSL uses comodo, no one else noticed this problem? Thanks!
     
    #3 ruiz, Aug 15, 2017 at 7:20 AM
    Last edited by a moderator: Aug 15, 2017 at 7:27 AM
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    259
    Likes Received:
    75
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Couple of things to take into account:

    The OCSP requirement is more likely to be a setting in the configuration of the browser you are using (eg in Firefox you can see it in Preferences > advanced > certificates, or use the string ocsp in about:config

    There is a possibility that the OCSP server was down, overloaded or unreachable at the time you experienced the issues.

    It has also been suggested in various forums that an UN-synchronized time/date on the calling device (the computer you are calling the site FROM) may sometimes provoke this response.

    Hope this helps
     
    #4 rpvw, Aug 15, 2017 at 7:51 AM
    Last edited: Aug 15, 2017 at 11:37 AM
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This was actually due to a Comodo outage yesterday:

    Comodo Certificate Authority Status

    These types of outages can result in websites failing to open when the browser (e.g. Firefox) is unable to directly connect to the OCSP server. Note that we did implement the following case back in June:

    EA-6302: Add SSLStaplingResponderTimeout to help when OCSP is down

    This helps to ensure the connection fails sooner when the OCSP server is down, whereas before the connection would hang. I recommend using the "Subscribe" button in the Comodo status URL referenced above so you are alerted when there's a Comodo outage in order to better identify when this issue might appear.

    Thank you.
     
    rpvw likes this.
  6. ruiz

    ruiz Active Member

    Joined:
    Feb 13, 2008
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    58
    Thank you Michael! That was spot on
     
    cPanelMichael likes this.
Loading...

Share This Page