SOLVED Sectigo OCSP Outage 05/01/2019

matt1206

Active Member
Dec 20, 2011
32
1
58
cPanel Access Level
Root Administrator
Is anyone else seeing issues with OCSP from Comodo currently? Getting these errors on all my cPanel servers since around 14:50 UTC today.

Code:
[Wed May 01 15:45:05.022337 2019] [ssl:error] [pid 32448:tid 47455874840320] AH01941: stapling_renew_response: responder error
[Wed May 01 15:45:09.434592 2019] [ssl:error] [pid 32448:tid 47455879042816] (70007)The timeout specified has expired: [client 35.198.217.171:42784] AH01985: error reading response from OCSP server
[Wed May 01 15:45:09.434782 2019] [ssl:error] [pid 32448:tid 47455879042816] AH01941: stapling_renew_response: responder error
[Wed May 01 15:45:30.627343 2019] [ssl:error] [pid 32443:tid 47455885346560] (70007)The timeout specified has expired: [client 148.252.194.74:56787] AH01985: error reading response from OCSP server
[Wed May 01 15:45:30.627687 2019] [ssl:error] [pid 32443:tid 47455885346560] AH01941: stapling_renew_response: responder error
[Wed May 01 15:45:33.644663 2019] [ssl:error] [pid 32446:tid 47455870637824] (70007)The timeout specified has expired: [client 148.252.194.74:56791] AH01985: error reading response from OCSP server
[Wed May 01 15:45:33.644918 2019] [ssl:error] [pid 32446:tid 47455870637824] AH01941: stapling_renew_response: responder error
[Wed May 01 15:46:03.866604 2019] [ssl:error] [pid 32444:tid 47455885346560] (70007)The timeout specified has expired: [client 178.82.175.11:46529] AH01985: error reading response from OCSP server
[Wed May 01 15:46:03.866755 2019] [ssl:error] [pid 32444:tid 47455885346560] AH01941: stapling_renew_response: responder error
[Wed May 01 15:46:07.583846 2019] [ssl:error] [pid 32443:tid 47455889549056] (70007)The timeout specified has expired: [client 178.82.175.11:46728] AH01985: error reading response from OCSP server
[Wed May 01 15:46:07.583985 2019] [ssl:error] [pid 32443:tid 47455889549056] AH01941: stapling_renew_response: responder error
[Wed May 01 15:46:12.885442 2019] [ssl:error] [pid 32446:tid 47455883245312] (70007)The timeout specified has expired: [client 178.82.175.11:46917] AH01985: error reading response from OCSP server
[Wed May 01 15:46:12.885587 2019] [ssl:error] [pid 32446:tid 47455883245312] AH01941: stapling_renew_response: responder error
I've had to disable OCSP on one of the servers as it was locking up apache after ~ 10 minutes post restart.

Code:
echo "SSLUseStapling off" >> /etc/apache2/conf.d/includes/pre_virtualhost_global.conf; /scripts/restartsrv_httpd
 

dooh

Member
Jul 19, 2006
5
0
151
Hey,

We did open a ticket to cPanel related to this issue. We have more than 20 servers that are crashed right now.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @matt1206,

We're currently investigating this in a couple of support tickets. The reported error generally stems from a certificate authority outage, though Sectigo shows no OCSP problems at the moment:

Sectigo

I'll update this thread with more information as it's available.

Thank you.
 
  • Like
Reactions: matt1206

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,918
131
368
SLC
cPanel Access Level
DataCenter Provider
Note: since Sectigo/Comodo started with the singed cpanel certs this has been a normal occurrence from time to time outages are location specific (its a pain)

changing the main DNS resolver out to a different location will usually fix.
 

codepoet

Member
Jun 28, 2017
16
2
3
Canada
cPanel Access Level
Root Administrator
@cPanelMichael Hello, I am having the same issue here also. Have been using the dns Resolver from cloudflare, then switched back to google, and still having intermittent issues with the OCSP. Disabled stapling for now. Should I open a ticket also (you have enough of them ?) or just follow here for updates?

Thank you
 

tsiedsma

Active Member
Nov 1, 2006
27
0
151
US
cPanel Access Level
Root Administrator
If you use Ansible, this one-liner will work

Disable SSL Stapling
:
ansible cpanel_servers -m lineinfile -a "path=/etc/apache2/conf.d/includes/pre_virtualhost_global.conf regexp='SSLUseStapling' line='SSLUseStapling off' state=present"
Then restart Apache:
ansible cpanel_servers -a "/scripts/restartsrv_httpd"

To undo:
ansible cpanel_servers -m lineinfile -a "path=/etc/apache2/conf.d/includes/pre_virtualhost_global.conf regexp='SSLUseStapling' state=absent"

And restart again:
ansible cpanel_servers -a "/scripts/restartsrv_httpd"
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

Thanks for the reports. We've reached out to Sectigo and are awaiting more information at this time. I'll update this thread with more information as soon as it's available.

In the meantime, the temporary workaround instructions from our OCSP Forums Resource are quoted below:

We firmly recommend that this only be a temporary workaround, as disabling Stapling places the OCSP burden back on your customer's browsers, slowing down site load speed and extending SSL/TLS handshake times.

To disable OCSP Stapling you can access WHM >> Service Configuration >> Apache Configuration >> Include Editor >> Pre VirtualHost Include >> All Versions and adding the following line:

SSLUseStapling off

Selecting 'Update' after this will rebuild the Apache configuration and restart the service, at which point the sites should begin loading as expected again.

Once the systemic issues in contacting OCSP have been addressed Stapling can be re-enabled by accessing the same interface and removing the additional line that was added. We at cPanel recommend keeping OCSP Stapling enabled whenever possible, as this improves the security in your HTTPS connections and improves site load speeds by optimizing the SSL/TLS Handshake.
Thank you.

Update:
It looks like Sectigo's OCSP responder servers are operating normally again. Let us know if the issue persists after reverting the temporary workaround.
 
Last edited:

Benjamin D.

Well-Known Member
Jan 28, 2016
126
17
18
Canada
cPanel Access Level
Root Administrator
[Note: This was moved from its own thread to here]

Hi! What's happening today? At noon, all the websites on my server began timing out. I received a HTTPd service down notification and the server logs are filled with:

[Wed May 01 12:34:30.880922 2019] [ssl:error] [pid 11717] (70007)The timeout specified has expired: [client x.x.x.x:3638] AH01985: error reading response from OCSP server
[Wed May 01 12:34:30.880976 2019] [ssl:error] [pid 11717] AH01941: stapling_renew_response: responder error

PLEASE HELP!

EDIT: DE-STAPLING TEMP FIX MENTIOEND ABOVE WORKED FINE. THX
 
Last edited:
  • Like
Reactions: cPanelMichael

Judah

Member
Jul 31, 2016
5
0
1
United States
cPanel Access Level
Root Administrator
Glad I am not the only one, I am seeing the same thing on my end. Hundreds of sites offline and the HTTPd service keeps crashing.

I am making a quick server snapshot and am going to try restarting (there were updates in queue, was waiting for weekend) and maybe rebuilding apache. Will report back with results.

-- Edit --
Restarting did not fix, but the tip above about disabling the OCSP stapling did the trick for now. Will definitely undo that temporary fix once things are back to normal.
 
Last edited:

kacsa

Member
Apr 6, 2003
18
0
151
I think OCSP response problem exists only on server that have IPv6 address. I don't have OCSP problem servers without IPV6.
 

jestep

Well-Known Member
Dec 18, 2006
47
1
158
We have IPV6 disabled and it's crippled several of our servers. Glad there's at least a temporary work around.