How to diagnose and resolve OCSP responder errors in cPanel

Network issues prevent your server from reaching OCSP server


This is by far the most common reason we see for sites reporting these errors. Often as a result of datacenter blocks, server firewalls or other network interferences the server is unable to connect to the necessary OCSP server. This can most reliably be verified by simply trying to ping the OCSP server in your error.

If you don’t receive any information after the ping then there’s likely a network block at play, in which case you should reach out to your datacenter or hosting provider, or server administrator to look into the network routing and try to determine why your server cannot reach the OCSP server.

We’ve seen a few isolated cases where incomplete IPv6 configurations can cause issues connecting to OCSP servers as well. This can be tested using ‘ping6’ instead of ‘ping’, which tests an IPv6 connection instead of IPv4. If you receive errors only when using ping6 then it’s possible the IPv6 configuration on the server needs to be fixed, or disabled.

Otherwise, if you are able to successfully ping the OCSP provider it’s possible they may be experiencing service issues.



Certificate Authority may be experiencing service issues.**

Infrequently, certificate authorities may have service downtime with their OCSP responder servers. If none of the above steps explain the errors being received, then you may want to check with your provider.

For AutoSSL certificates for example, Sectigo offers Sectigo Certificate Authority to check their service status and will announce if they’re experiencing OCSP issues.

If there are systemic issues with the OCSP responder servers there will likely be a notice on their status page, and ideally a projected ETA for service to be restored.

If any of the above descriptions apply or if there’s a less common issue causing these errors for you, it’s possible to disable OCSP stapling to allow your sites to load again.

We firmly recommend that this only be a temporary workaround, as disabling Stapling places the OCSP burden back on your customer’s browsers, slowing down site load speed and extending SSL/TLS handshake times.

To disable OCSP Stapling you can access WHM >> Service Configuration >> Apache Configuration >> Include Editor >> Pre VirtualHost Include >> All Versions and adding the following line:

Code:

SSLUseStapling off

Selecting ‘Update’ after this will rebuild the Apache configuration and restart the service, at which point the sites should begin loading as expected again.

Once the systemic issues in contacting OCSP have been addressed Stapling can be re-enabled by accessing the same interface and removing the additional line that was added. We at cPanel recommend keeping OCSP Stapling enabled whenever possible, as this improves the security in your HTTPS connections and improves site load speeds by optimizing the SSL/TLS Handshake.
Was this article helpful?
Cancel
Thank you!