If one of your domains does not respond, but all services run as they should, you might face an OCSP Stapling renewal error. Find out how to detect OCSP renewal errors in this article.
The first step is taking a look at the apache error log of your virtual host.
Check the log for one of the following lines:
... [ssl:error] ... (70007)The timeout specified has expired: [client 184.108.40.206:23726] AH01977: failed reading line from OCSP server ... [ssl:error] ... [client x.x.x.x:xxxxxx] AH01980: bad response from OCSP server: (none) ... [ssl:error] ... AH01941: stapling_renew_response: responder error
If you find one of the lines in the error log, then continue reading below.
Otherwise, the error might not be related to the OCSP server.
It is time to manually check if the OCSP server of the certification authority (CA) is up and running correctly.
To do that, you need to determine the OCSP server address to which all stapling requests are sent to. You can acquire this address with the following command:
# openssl x509 -noout -ocsp_uri -in domain.com.crt
domain.com.crt with the path to the domain certificate.
The output might look something like this and should contain a url:
The final step is to manually trigger a test against the OCSP server of the CA:
openssl ocsp -issuer domain.com-intermediate.crt -cert domain.com.crt -text -url http://gold-server-g2.ocsp.swisssign.net/E7F1E7FD2E53AD11E5811A57A4738F127D98C8AE
domain.com-intermediate.crtwith the path to the intermediate certificate of the domain,
domain.com.crtwith the path to public certificate of the domain,
- and insert the OCSP address instead of the example URL provided above.
Running the test command above displays all the details of the OCSP request and the returned response.
It contains sections for “OCSP Request Data“, “OCSP Response Data“ and “Certificate“. The OCSP verification results are displayed at the end of the command output.
If an error occurred during the test, then the response typically only contains the section “OCSP Request Data“ and the error message at the end of the command output.
An OCSP response error might look like this:
OCSP Request Data: ... ... Error connecting BIO Error querying OCSP responder 139622172279040:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:724:Temporary failure in name resolution
The last 3 lines give you a description of the error.
With this information, you can take further action, e.g.
- check if the CA is aware of the problem by looking at their status page,
- or contacting the CA with a detailed description of the problem,
- or temporarily disabling OCSP stapling in your virtual host config, until the problem is resolved.
A successful OCSP response looks like this:
OCSP Request Data: ... ... OCSP Response Data: ... ... Certificate: ... ... -----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE----- Response verify OK domain.com.crt: good This Update: Aug 20 09:53:44 2020 GMT Next Update: Aug 20 12:53:44 2020 GMT
The last 4 lines tell you that everything is working fine and that the error you are facing with your domain is not OCSP related.