Bad response from OCSP server

Running an Apache web server out of an IBM Softlayer server farm in Dallas. Evey so often, the Apache hpptd child process restarts then stops responding to page requests when it cannot access OSCP stapling. Seeing the problem now every few days.

The latest was this morning (all times MST) between 2:31 am and 3:01 am. Here’s a sample from the log file…

[Mon Mar 04 02:31:15.367980 2019] [mpm_winnt:notice] [pid 18232:tid 532] AH00418: Parent: Created child process 18324
[Mon Mar 04 02:31:32.649236 2019] [mpm_winnt:notice] [pid 18324:tid 3236] AH00354: Child: Starting 1024 worker threads.
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : [client 207.46.13.24:5884] AH01977: failed reading line from OCSP server
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] [client 207.46.13.24:5884] AH01980: bad response from OCSP server: (none)
[Mon Mar 04 02:31:35.385082 2019] [ssl:error] [pid 18324:tid 24368] AH01941: stapling_renew_response: responder error

The 3 [ssl:error] lines keep repeating over and over (I have over 40 sites hosted on my server including lodesys.com and k12irc.org).

Apache is restarted automatically every 5 minutes when not responding. The errors persisted until 3:01 am when the OSCP server appears to have started responding again and no more problems.

This issue has happened intermittently over the last week or two. I am looking at the option of just turning SSLUseStapling off as I need the sites up and running 24/7.

Not sure if this is an issue with Akami blocking the server farm’s IP range due to excessive hits or ???.

Here’s my Apache config lines…

SSLUseStapling on
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off

Any ideas or insights would be greatly appreciated.

Unfortunately Apache’s OCSP stapling implementation is not very good - Apache - robust OCSP stapling config .

You don’t seem to be using SSLStaplingCache - that may boost your reliability a bit.

You might otherwise consider replacing your SSL termination with something else or disabling stapling entirely.

1 Like

I was using SSLStaplingCache - left that line out.

Was trying some changes when the local OCSP started ignoring requests (due to a denial of service attack or my server being blocked with “too many requests” ???). Log files available upon request.

Ended up just turning OCSP stapling off (SSLUseStapling Off) which has “solved” the problem. Obviously not the preferred solution.

Have a bug report in with Apache – https://bz.apache.org/bugzilla/show_bug.cgi?id=63231 – but have not heard anything to-date.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.