Skip to main content

OCSP Stapling Renewal Error

If one of your domains does not respond, but all services run as they should, you might face an OCSP Stapling renewal error. Find out how to detect OCSP renewal errors in this article.

A Look at the Apache Error Log

The first step is taking a look at the apache error log of your virtual host.

Check the log for one of the following lines:

... [ssl:error] ... (70007)The timeout specified has expired: [client] AH01977: failed reading line from OCSP server
... [ssl:error] ... [client x.x.x.x:xxxxxx] AH01980: bad response from OCSP server: (none)
... [ssl:error] ... AH01941: stapling_renew_response: responder error

If you find one of the lines in the error log, then continue reading below.

Otherwise, the error might not be related to the OCSP server.

Determine OCSP Server Address

It is time to manually check if the OCSP server of the certification authority (CA) is up and running correctly.

To do that, you need to determine the OCSP server address to which all stapling requests are sent to. You can acquire this address with the following command:

CLIdetermine OCSP server addresscopy
# openssl x509 -noout -ocsp_uri -in

Replace with the path to the domain certificate.

The output might look something like this and should contain a url:

CLI Outputexample OCSP addresscopy

The final step is to manually trigger a test against the OCSP server of the CA:

CLImanual test against the OCSP of the CAcopy
openssl ocsp -issuer -cert -text -url


  • with the path to the intermediate certificate of the domain,
  • with the path to public certificate of the domain,
  • and insert the OCSP address instead of the example URL provided above.

Reading the Result

Running the test command above displays all the details of the OCSP request and the returned response.

It contains sections for “OCSP Request Data“, “OCSP Response Data“ and “Certificate“. The OCSP verification results are displayed at the end of the command output.

OCSP Response (Error)

If an error occurred during the test, then the response typically only contains the section “OCSP Request Data“ and the error message at the end of the command output.

An OCSP response error might look like this:

CLI Outputexample OCSP response errorcopy
OCSP Request Data:
Error connecting BIO
Error querying OCSP responder
139622172279040:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:724:Temporary failure in name resolution

The last 3 lines give you a description of the error.

With this information, you can take further action, e.g.

  • check if the CA is aware of the problem by looking at their status page,
  • or contacting the CA with a detailed description of the problem,
  • or temporarily disabling OCSP stapling in your virtual host config, until the problem is resolved.

OCSP Response (Success)

A successful OCSP response looks like this:

CLI Outputexample for successful OCSP responsecopy
OCSP Request Data:
OCSP Response Data:
Response verify OK good
        This Update: Aug 20 09:53:44 2020 GMT
        Next Update: Aug 20 12:53:44 2020 GMT

The last 4 lines tell you that everything is working fine and that the error you are facing with your domain is not OCSP related.

Frank Förster, Fullstack Web Developer
I’m Frank Förster, a full-stack web developer from Dresden, Germany. I write about findings of my daily work as a web developer. My articles cover frontend and backend topics with a focus on VueJS, Node and other web technologies.