2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

Also posted to https://bugzilla.mozilla.org/show_bug.cgi?id=1577652 and https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/FB-SfaYo4oc.

On 2019.08.28 we read Apple’s bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP responder returning incorrect results for a precertificate. This prompted us to run our own investigation. We found in an initial review that for 35 of our precertificates, we were serving incorrect OCSP results (“unauthorized” instead of “good”). Like DigiCert, this happened when a precertificate was issued, but the corresponding certificate was not issued due to an error.

We’re taking these additional steps to ensure a robust fix:

  • For each precertificate issued according to our audit logs, verify that we are serving a corresponding OCSP response (if the precertificate is currently valid).
  • Configure alerting for the conditions that create this problem, so we can fix any instances that arise in the short term.
  • Deploy a code change to Boulder to ensure that we serve OCSP even if an error occurs after precertificate issuance.