Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Sectigo OCSP Outage 05/01/2019

Discussion in 'Security' started by matt1206, May 1, 2019.

Tags:
  1. matt1206

    matt1206 Active Member

    Joined:
    Dec 20, 2011
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Is anyone else seeing issues with OCSP from Comodo currently? Getting these errors on all my cPanel servers since around 14:50 UTC today.

    Code:
    [Wed May 01 15:45:05.022337 2019] [ssl:error] [pid 32448:tid 47455874840320] AH01941: stapling_renew_response: responder error
    [Wed May 01 15:45:09.434592 2019] [ssl:error] [pid 32448:tid 47455879042816] (70007)The timeout specified has expired: [client 35.198.217.171:42784] AH01985: error reading response from OCSP server
    [Wed May 01 15:45:09.434782 2019] [ssl:error] [pid 32448:tid 47455879042816] AH01941: stapling_renew_response: responder error
    [Wed May 01 15:45:30.627343 2019] [ssl:error] [pid 32443:tid 47455885346560] (70007)The timeout specified has expired: [client 148.252.194.74:56787] AH01985: error reading response from OCSP server
    [Wed May 01 15:45:30.627687 2019] [ssl:error] [pid 32443:tid 47455885346560] AH01941: stapling_renew_response: responder error
    [Wed May 01 15:45:33.644663 2019] [ssl:error] [pid 32446:tid 47455870637824] (70007)The timeout specified has expired: [client 148.252.194.74:56791] AH01985: error reading response from OCSP server
    [Wed May 01 15:45:33.644918 2019] [ssl:error] [pid 32446:tid 47455870637824] AH01941: stapling_renew_response: responder error
    [Wed May 01 15:46:03.866604 2019] [ssl:error] [pid 32444:tid 47455885346560] (70007)The timeout specified has expired: [client 178.82.175.11:46529] AH01985: error reading response from OCSP server
    [Wed May 01 15:46:03.866755 2019] [ssl:error] [pid 32444:tid 47455885346560] AH01941: stapling_renew_response: responder error
    [Wed May 01 15:46:07.583846 2019] [ssl:error] [pid 32443:tid 47455889549056] (70007)The timeout specified has expired: [client 178.82.175.11:46728] AH01985: error reading response from OCSP server
    [Wed May 01 15:46:07.583985 2019] [ssl:error] [pid 32443:tid 47455889549056] AH01941: stapling_renew_response: responder error
    [Wed May 01 15:46:12.885442 2019] [ssl:error] [pid 32446:tid 47455883245312] (70007)The timeout specified has expired: [client 178.82.175.11:46917] AH01985: error reading response from OCSP server
    [Wed May 01 15:46:12.885587 2019] [ssl:error] [pid 32446:tid 47455883245312] AH01941: stapling_renew_response: responder error
    I've had to disable OCSP on one of the servers as it was locking up apache after ~ 10 minutes post restart.

    Code:
    echo "SSLUseStapling off" >> /etc/apache2/conf.d/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
     
  2. dooh

    dooh Member

    Joined:
    Jul 19, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Hey,

    We did open a ticket to cPanel related to this issue. We have more than 20 servers that are crashed right now.
     
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @matt1206,

    We're currently investigating this in a couple of support tickets. The reported error generally stems from a certificate authority outage, though Sectigo shows no OCSP problems at the moment:

    Sectigo

    I'll update this thread with more information as it's available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    matt1206 likes this.
  4. matt1206

    matt1206 Active Member

    Joined:
    Dec 20, 2011
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Thanks @cPanelMichael - I suspected as much, but couldn't see anything myself on their status page either.
     
  5. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,885
    Likes Received:
    120
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Note: since Sectigo/Comodo started with the singed cpanel certs this has been a normal occurrence from time to time outages are location specific (its a pain)

    changing the main DNS resolver out to a different location will usually fix.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. brianc

    brianc Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    168
    Likes Received:
    3
    Trophy Points:
    168
    This is impacting my servers as well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. codepoet

    codepoet Member

    Joined:
    Jun 28, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    @cPanelMichael Hello, I am having the same issue here also. Have been using the dns Resolver from cloudflare, then switched back to google, and still having intermittent issues with the OCSP. Disabled stapling for now. Should I open a ticket also (you have enough of them ?) or just follow here for updates?

    Thank you
     
  8. codepoet

    codepoet Member

    Joined:
    Jun 28, 2017
    Messages:
    16
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
  9. KJBgvs78gv

    KJBgvs78gv Registered

    Joined:
    May 1, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Germany
    cPanel Access Level:
    Root Administrator
    got same issue, created a ticked, and disabled stapling. Switching from google to cloudflare resolvers doesn't helps.
     
  10. tandyuk

    tandyuk Active Member

    Joined:
    Dec 18, 2003
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Worthing, UK
    cPanel Access Level:
    DataCenter Provider
    Same here, I dont ever remember turning OCSP stapling on though....
    I read about a timeout directive to fall back to non-ocsp, but cant find any documentation on putting this in cpanel.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    US
    cPanel Access Level:
    Root Administrator
    I am seeing this issue as well
     
  12. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    US
    cPanel Access Level:
    Root Administrator
    If you use Ansible, this one-liner will work

    Disable SSL Stapling
    :
    ansible cpanel_servers -m lineinfile -a "path=/etc/apache2/conf.d/includes/pre_virtualhost_global.conf regexp='SSLUseStapling' line='SSLUseStapling off' state=present"
    Then restart Apache:
    ansible cpanel_servers -a "/scripts/restartsrv_httpd"

    To undo:
    ansible cpanel_servers -m lineinfile -a "path=/etc/apache2/conf.d/includes/pre_virtualhost_global.conf regexp='SSLUseStapling' state=absent"

    And restart again:
    ansible cpanel_servers -a "/scripts/restartsrv_httpd"
     
  13. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    Thanks for the reports. We've reached out to Sectigo and are awaiting more information at this time. I'll update this thread with more information as soon as it's available.

    In the meantime, the temporary workaround instructions from our OCSP Forums Resource are quoted below:

    Thank you.

    Update:
    It looks like Sectigo's OCSP responder servers are operating normally again. Let us know if the issue persists after reverting the temporary workaround.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #13 cPanelMichael, May 1, 2019
    Last edited: May 1, 2019
  14. Benjamin D.

    Benjamin D. Well-Known Member

    Joined:
    Jan 28, 2016
    Messages:
    126
    Likes Received:
    17
    Trophy Points:
    18
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    [Note: This was moved from its own thread to here]

    Hi! What's happening today? At noon, all the websites on my server began timing out. I received a HTTPd service down notification and the server logs are filled with:

    [Wed May 01 12:34:30.880922 2019] [ssl:error] [pid 11717] (70007)The timeout specified has expired: [client x.x.x.x:3638] AH01985: error reading response from OCSP server
    [Wed May 01 12:34:30.880976 2019] [ssl:error] [pid 11717] AH01941: stapling_renew_response: responder error

    PLEASE HELP!

    EDIT: DE-STAPLING TEMP FIX MENTIOEND ABOVE WORKED FINE. THX
     
    #14 Benjamin D., May 1, 2019
    Last edited: May 1, 2019
    cPanelMichael likes this.
  15. Judah

    Judah Member

    Joined:
    Jul 31, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Glad I am not the only one, I am seeing the same thing on my end. Hundreds of sites offline and the HTTPd service keeps crashing.

    I am making a quick server snapshot and am going to try restarting (there were updates in queue, was waiting for weekend) and maybe rebuilding apache. Will report back with results.

    -- Edit --
    Restarting did not fix, but the tip above about disabling the OCSP stapling did the trick for now. Will definitely undo that temporary fix once things are back to normal.
     
    #16 Judah, May 1, 2019
    Last edited: May 1, 2019
  16. kacsa

    kacsa Member

    Joined:
    Apr 6, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    151
    I think OCSP response problem exists only on server that have IPv6 address. I don't have OCSP problem servers without IPV6.
     
  17. jestep

    jestep Well-Known Member

    Joined:
    Dec 18, 2006
    Messages:
    47
    Likes Received:
    1
    Trophy Points:
    158
    We have IPV6 disabled and it's crippled several of our servers. Glad there's at least a temporary work around.
     
  18. kamrannorway

    kamrannorway Registered

    Joined:
    Oct 9, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The same issue here. Ticket number is 12156975. Hope you fix it as soon as possible.
     
  19. LoganGraham

    LoganGraham Registered

    Joined:
    May 1, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Florida
    cPanel Access Level:
    Root Administrator
    I was able to resolve this by using the following steps:

    - Install LetsEncrypt AutoSSL provider - found here: cPanel's Official Let's Encrypt Plugin | cPanel Blog
    - Deleting all SSL certs for affected domains
    - Restarting Apache
    - Running AutoSSL for the affected domains

    Hope this helps someone get back up and running as quick as possible.
     
  20. orizonmedia

    orizonmedia Registered

    Joined:
    Jan 16, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Rimouski, Canada
    cPanel Access Level:
    Root Administrator
    same problem here

    error reading response from OCSP server
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice