5

My Apache error log shows a lot of " stapling_renew_response: responder " errors. Was hoping to add a browser screenshot but I'm a newbie and therefore not authorised. This is what is shown from the browser:

"Secure Connection Failed

An error occurred during a connection to www.mysite.co.uk. The OCSP server suggests trying again later. (Error code: sec_error_ocsp_try_server_later)

It is an intermittent fault but when I restart Apache, the issue goes away temporarily. It looks like the issue occurs when Apache attempts to resolve the address of the OCSP responder.

[Mon Jun 30 16:00:52.666880 2014] [ssl:error] [pid 20449] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:54254] AH01972: could not resolve address of OCSP responder EVSSL-ocsp.geotrust.com
[Mon Jun 30 16:00:52.666954 2014] [ssl:error] [pid 20449] AH01941: stapling_renew_response: responder error
[Wed Jul 02 21:16:00.660224 2014] [ssl:error] [pid 13700] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:7467] AH01972: could not resolve address of OCSP responder rapidssl-ocsp.geotrust.com
[Wed Jul 02 21:16:00.660284 2014] [ssl:error] [pid 13700] AH01941: stapling_renew_response: responder error
[Mon Jul 07 13:00:48.082422 2014] [ssl:error] [pid 23502] (EAI 3)Temporary failure in name resolution: [client 12.34.56.78.9:62983] AH01972: could not resolve address of OCSP responder rapidssl-ocsp.geotrust.com
[Mon Jul 07 13:00:48.082505 2014] [ssl:error] [pid 23502] AH01941: stapling_renew_response: responder error

From my http.conf file:

SSLUseStapling on
SSLStaplingCache shmcb:/usr/local/apache/logs/stapling_cache_shmcb(256000)
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data_shmcb(1024000)

SSLSessionCacheTimeout  300
Mutex                   file:/usr/local/apache/logs ssl-cache
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

I checked OCSP Stapling using this command: echo QUIT | openssl s_client -connect www.mysite.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

and received this response which shows it working:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CN = RapidSSL TGV OCSP Responder
Produced At: Aug  8 22:59:14 2014 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 123456789XXXXXXXXXXXXXXXXXXXX
  Issuer Key Hash: 123456789XXXXXXXXXXXXXXXXXXXX
  Serial Number: ABCD123
Cert Status: good
This Update: Aug  8 22:59:14 2014 GMT
Next Update: Aug 15 22:59:14 2014 GMT

I checked for the cache files mentioned in httpd.conf (stapling_cache_shmcb and ssl_gcache_data_shmcb) but neither exist. Are they meant to exist?

Any help would be great.

Mark
  • 151
  • 1
  • 2
  • "could not resolve address of OCSP responder EVSSL-ocsp.geotrust.com" that sounds like a DNS resolution failure – Mathias R. Jessen Aug 11 '14 at 14:03
  • 1
    I agree but how on earth would I start fault finding when EVSSL-ocsp.geotrust.com resolves correctly. Is it possible to have an intermittent DNS failure? – Mark Aug 11 '14 at 14:13

0 Answers0