SSL Lets Encrypt problem

Post Reply
aeternaldreams
Junior Member
Posts: 2
Joined: 13 Jan 2018, 17:34

SSL Lets Encrypt problem

Post by aeternaldreams »

I'm hoping someone can help me with an issue with SSL from letsencrypt and CSF. Basically, I get an error as shown below whenever a site with SSL on my server is accessed.
[Sat Jan 13 16:08:37.809819 2018] [ssl:error] [pid 21409:tid 140024456673024] (70007)The timeout specified has expired: [client 73.233.1.18:51214] AH01974: could not connect to OCSP responder 'ocsp.int-x3.letsencrypt.org'
[Sat Jan 13 16:08:37.809891 2018] [ssl:error] [pid 21409:tid 140024456673024] AH01941: stapling_renew_response: responder error
I've ruled out issues with Apache and made sure the cipher was set to default. When I have the firewall enabled it appears OCSP Staple is not enabled. When I disable the firewall Stapling is enabled. I haven't messed with my CSF in quite some time and letsencrypts' server status says that it is operational.

I've flushed all blocks and tried some other setting changes to no avail. It is pretty baffling. Unfortunately, I have to leave the firewall disabled otherwise my SSL sites are extremely slow to load or do not load at all.

Any advice or help would be appreciated!
sawbuck
Junior Member
Posts: 366
Joined: 10 Dec 2006, 16:20

Re: SSL Lets Encrypt problem

Post by sawbuck »

Any errors if you run?
curl -v "http://ocsp.int-x3.letsencrypt.org/"

This cPanel thread: https://forums.cpanel.net/threads/could ... er.612515/ may have some relevance. Especially resetting the cipher again and testing it.
aeternaldreams
Junior Member
Posts: 2
Joined: 13 Jan 2018, 17:34

Re: SSL Lets Encrypt problem

Post by aeternaldreams »

Thanks for your response. I've been playing around the past couple of days with various settings. Running curl as suggested would produce a timeout with CSF enabled, tweaking some settings would make the timeout occur occasionally when testing with CSF enabled.

It dawned on me to check my CC_Block list which consisted of CN,RU,UA,DE,KP. After removing all of those and restarting CSF it appears everything is working as expected. The strange thing is that ocsp.int-x3.letsencrypt.org resolves to a 77.67.*.* ip address from my server but when i ping with my pc it is 23.38.*.*

I'll probably just leave the block list empty going forward.
Post Reply