Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Could not connect to OCSP responder

Discussion in 'Security' started by cadaverzian, Oct 10, 2017.

  1. cadaverzian

    cadaverzian Registered

    Joined:
    Oct 10, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    ukraine
    cPanel Access Level:
    Root Administrator
    We have a big trouble on all our cpanel servers :
    site's with https-connections fall down with next error:
    [Tue Oct 10 09:48:14.149790 2017] [ssl:error] [pid 1776] (101)Network is unreachable: [client 199.66.88.30:62799] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Tue Oct 10 09:48:14.150198 2017] [ssl:error] [pid 1776] AH01941: stapling_renew_response: responder error

    when we try to ping it:
    ping ocsp.comodoca.com
    PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
    --- ocsp.comodoca.com ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 1651ms

    But ocsp.comodoca.com is accessible from other (non-cpanel servers):
    ping ocsp.comodoca.com
    PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=1 ttl=52 time=117 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=52 time=117 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=52 time=117 ms

    There is no csf (or other) firewalls on server, iptables is flushed and stopped, but still:
    ping ocsp.comodoca.com
    PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
    --- ocsp.comodoca.com ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2412ms

    trace:
    root@server68 [~]# mtr ocsp.comodoca.com --report
    HOST: **** Loss% Snt Last Avg Best Wrst StDev
    1. ******* 0.0% 10 0.8 1.1 0.8 2.4 0.5
    2. 46.164.132.169 0.0% 10 0.7 0.5 0.3 1.0 0.2
    3. tr1-v454.de-fra.datagroup.ua 0.0% 10 26.7 26.8 26.7 27.7 0.3
    4. ffm-b1-link.telia.net 0.0% 10 26.8 27.2 26.8 29.0 0.7
    5. ae6.cr1-fra6.ip4.gtt.net 0.0% 10 27.4 27.4 27.3 27.5 0.0
    6. et-5-3-0.cr9-nyc3.ip4.gtt.ne 0.0% 10 119.2 119.1 118.9 119.4 0.2
    7. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,802
    Likes Received:
    1,714
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Are you using the default cipher list for Apache in "WHM Home » Service Configuration » Apache Configuration » Global Configuration"? Does toggling the default option for the cipher list and saving the changes address the issue?

    Thank you.
     
  3. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    131
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello

    I had the same issue - I then selected the default cipher as mentioned by @cPanelMichael which worked and now the error is gone.

    However, this seems to repeat from time to time - and each time I have to re-select the default cipher, so I am not sure why that option doesn't remain selected.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,802
    Likes Received:
    1,714
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket if you'd like us to take a closer look to see what could be happening.

    Thank you.
     
  5. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    131
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Had the same issue again today (on multiple servers) and going to "WHM Home » Service Configuration » Apache Configuration » Global Configuration" and re-selecting default cipher (already selected) and then saving seems to have solved the issue - I will open a ticket if it comes back again.
     
  6. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    131
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael

    I had the same issue again today - after having rebooted the cpanel server (after receiving the "Processes High - reboot the server to update the system" cpanel advisor message.)

    So I rebooted the server and again I get the SSL stapling errors in the Apache Error Log;

    [ssl:error] [pid 1776] (101) Network is unreachable: [client 123.123.123.123:62799] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Dec 17 09:48:14.150198 2017] [ssl:error] [pid 1776] AH01941: stapling_renew_response: responder error​


    After doing a bit of googling, I found this helpful article which explains how to verify if SSL stapling is working on Apache (Apache: Instructions for OCSP Stapling | DigiCert.com)

    As per the suggestion in the article, SSL Certificate Checker - Diagnostic Tool | DigiCert.com - on this page I was able to see the result of my server SSL stapling - which was "Not enabled"

    Then, I went to WHM Home » Service Configuration » Apache Configuration » Global Configuration - and reset the Cipher Suite to default again.

    I then re-checked the SSL stapling SSL Certificate Checker - Diagnostic Tool | DigiCert.com - this page now shows the SSL stapling is now "Enabled".

    So clearly, when rebooting my machine - the Cipher suite is not being read - or perhaps there is a cache error ? Something is preventing the default Cipher suite from rebuilding.

    This is happening on all of my VMs. Any suggestions?

    Thanks
     
    #6 WorkinOnIt, Dec 16, 2017
    Last edited: Dec 16, 2017
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,802
    Likes Received:
    1,714
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It sounds like an issue where the server's hostname changes during the reboot, but it's difficult to know for sure without access to an affected system. Could you open a support ticket using the link in my signature so we can take a closer look?

    Thank you.
     
Loading...

Share This Page