Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Could not connect to OCSP responder

Discussion in 'Security' started by cadaverzian, Oct 10, 2017.

  1. cadaverzian

    cadaverzian Registered

    Joined:
    Oct 10, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    ukraine
    cPanel Access Level:
    Root Administrator
    We have a big trouble on all our cpanel servers :
    site's with https-connections fall down with next error:
    [Tue Oct 10 09:48:14.149790 2017] [ssl:error] [pid 1776] (101)Network is unreachable: [client 199.66.88.30:62799] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Tue Oct 10 09:48:14.150198 2017] [ssl:error] [pid 1776] AH01941: stapling_renew_response: responder error

    when we try to ping it:
    ping ocsp.comodoca.com
    PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
    --- ocsp.comodoca.com ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 1651ms

    But ocsp.comodoca.com is accessible from other (non-cpanel servers):
    ping ocsp.comodoca.com
    PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=1 ttl=52 time=117 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=2 ttl=52 time=117 ms
    64 bytes from ocsp.comodoca.com (178.255.83.1): icmp_seq=3 ttl=52 time=117 ms

    There is no csf (or other) firewalls on server, iptables is flushed and stopped, but still:
    ping ocsp.comodoca.com
    PING ocsp.comodoca.com (178.255.83.1) 56(84) bytes of data.
    --- ocsp.comodoca.com ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2412ms

    trace:
    root@server68 [~]# mtr ocsp.comodoca.com --report
    HOST: **** Loss% Snt Last Avg Best Wrst StDev
    1. ******* 0.0% 10 0.8 1.1 0.8 2.4 0.5
    2. 46.164.132.169 0.0% 10 0.7 0.5 0.3 1.0 0.2
    3. tr1-v454.de-fra.datagroup.ua 0.0% 10 26.7 26.8 26.7 27.7 0.3
    4. ffm-b1-link.telia.net 0.0% 10 26.8 27.2 26.8 29.0 0.7
    5. ae6.cr1-fra6.ip4.gtt.net 0.0% 10 27.4 27.4 27.3 27.5 0.0
    6. et-5-3-0.cr9-nyc3.ip4.gtt.ne 0.0% 10 119.2 119.1 118.9 119.4 0.2
    7. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,720
    Likes Received:
    1,883
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Are you using the default cipher list for Apache in "WHM Home » Service Configuration » Apache Configuration » Global Configuration"? Does toggling the default option for the cipher list and saving the changes address the issue?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    136
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello

    I had the same issue - I then selected the default cipher as mentioned by @cPanelMichael which worked and now the error is gone.

    However, this seems to repeat from time to time - and each time I have to re-select the default cipher, so I am not sure why that option doesn't remain selected.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,720
    Likes Received:
    1,883
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket if you'd like us to take a closer look to see what could be happening.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    136
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Had the same issue again today (on multiple servers) and going to "WHM Home » Service Configuration » Apache Configuration » Global Configuration" and re-selecting default cipher (already selected) and then saving seems to have solved the issue - I will open a ticket if it comes back again.
     
  6. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    136
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael

    I had the same issue again today - after having rebooted the cpanel server (after receiving the "Processes High - reboot the server to update the system" cpanel advisor message.)

    So I rebooted the server and again I get the SSL stapling errors in the Apache Error Log;

    [ssl:error] [pid 1776] (101) Network is unreachable: [client 123.123.123.123:62799] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Dec 17 09:48:14.150198 2017] [ssl:error] [pid 1776] AH01941: stapling_renew_response: responder error​


    After doing a bit of googling, I found this helpful article which explains how to verify if SSL stapling is working on Apache (Apache: Instructions for OCSP Stapling | DigiCert.com)

    As per the suggestion in the article, SSL Certificate Checker - Diagnostic Tool | DigiCert.com - on this page I was able to see the result of my server SSL stapling - which was "Not enabled"

    Then, I went to WHM Home » Service Configuration » Apache Configuration » Global Configuration - and reset the Cipher Suite to default again.

    I then re-checked the SSL stapling SSL Certificate Checker - Diagnostic Tool | DigiCert.com - this page now shows the SSL stapling is now "Enabled".

    So clearly, when rebooting my machine - the Cipher suite is not being read - or perhaps there is a cache error ? Something is preventing the default Cipher suite from rebuilding.

    This is happening on all of my VMs. Any suggestions?

    Thanks
     
    #6 WorkinOnIt, Dec 16, 2017
    Last edited: Dec 16, 2017
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,720
    Likes Received:
    1,883
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It sounds like an issue where the server's hostname changes during the reboot, but it's difficult to know for sure without access to an affected system. Could you open a support ticket using the link in my signature so we can take a closer look?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. RobinF28

    RobinF28 Active Member

    Joined:
    Jun 27, 2015
    Messages:
    31
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Elgin, Scotland
    cPanel Access Level:
    Root Administrator
    Hi Michael & OP's,

    I have just had the exact same issue, & resolution, as the OPs above.

    I resolved it as above, pls see screen grabs (below) attached where is shows the change from "OCSP Staple: Not Enabled" -to- "Good"
    The problem happened when I rebooted the server (gracefully) to install a kernel update.
    The error logs were as follows, so I researched this (great!) forum and used this fix.

    (WHM is at latest Version.)

    - Robin.

    Code:
    /usr/local/apache/logs/error_log:
    [Wed Sep 05 08:20:04.506505 2018] [ssl:error] [pid 3299] (101)Network is unreachable: [client 199.30.231.5:24339] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Wed Sep 05 08:20:04.506549 2018] [ssl:error] [pid 3299] AH01941: stapling_renew_response: responder error
    [Wed Sep 05 08:50:40.288728 2018] [ssl:error] [pid 3297] (101)Network is unreachable: [client 66.249.64.144:54725] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Wed Sep 05 08:50:40.288782 2018] [ssl:error] [pid 3297] AH01941: stapling_renew_response: responder error
    [Wed Sep 05 08:50:41.288681 2018] [ssl:error] [pid 11523] (101)Network is unreachable: [client 66.249.64.146:63097] AH01974: could not connect to OCSP responder 'ocsp.comodoca.com'
    [Wed Sep 05 08:50:41.288718 2018] [ssl:error] [pid 11523] AH01941: stapling_renew_response: responder error
    ........
    ........
    
    SSL Certificate Checker   Diagnostic Tool   DigiCert.com.png


    SSL Certificate Checker   Diagnostic Tool   DigiCert.com(1).png
     
    Infopro likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice