All our network blocked/banned


#1

Hello everyone. First, my thanks to Let´s Encrypt and its team for great project and work.

I hope someone can help us with this issue.

Today, all our SSL from Let´s Encrypt stop working. The certificates are valid and have not expired yet. We had not ping to ocsp.int-x2.letsencrypt.org, ocsp.int-x3.letsencrypt.org, and ocsp.int-x4.letsencrypt.org. We tested our network and everything was working properly from our network side. This is the error we got:

[Wed Dec 21 11:58:34.643856 2016] [ssl:error] [pid 8506] AH01941: stapling_renew_response: responder error
[Wed Dec 21 11:58:54.670917 2016] [ssl:error] [pid 8498] (101)Network is unreachable: [client 190.114.254.1:57706] AH01974: could not connect to OCSP responder ‘ocsp.int-x3.letsencrypt.org

So I wonder why this could happen that all our network was somehow banned from Let´s Encrypt server. This was not for certificate issuance.
The problem was that all the websites with Let´s Encrypt would load at all.

Datacenter provider, if applicable, is: Zam Ltda.
Country: Chile
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel

Thank you so much.


#2

Let’s Encrypt’s OCSP is served by Akamai’s CDN network. While Akamai rarely goes down completely (one could almost say never), it’s possible that there are outages in certain geographic regions at times due to any number of reasons. A good starting point would be to run both traceroute ocsp.int-x3.letsencrypt.org and mtr -c 20 -w -r ocsp.int-x3.letsencrypt.org and paste the output here. This will hopefully show on which network hop the error occurs.

That said, typically apache would continue working during OCSP outages; it would just not be able to staple OCSP responses. Similarly, all major web browsers operate in a soft-fail mode for OCSP, so they should still work during OCSP server downtimes (unless you’re using OCSP Must-Staple, which is only supported by Firefox. If you’ve never heard of that before, you’re in all likelihood not using it). Can you share some details on the issues your visitors are experiencing, such as the detailed connection error they’re seeing?


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.