All letsencrypt certificate show revocation erro information

My pc is windows10 , use all browser to visit use letsencrypt certificate site is ok ,example https://letsencrypt.org/

but when I use application program that use windows browser control, all applcation visit letsencrypt.org show revocation erro information.

about before April ,it’s all ok , but now show revocation erro information.

My bet is that the program you used is extremely old that it stills requires CRL information. Let’s Encrypt certificate doesn’t use CRL, only OCSP is available.
I don’t think Let’s Encrypt is able to do anything about that, as they issue many certificates everyday and if they publish a CRL it would definitely be massive. You might be able to ask on Microsoft forums or find another we browser control solution…

Thank you

1 Like

Hi @zixia

is this application able to talk with Letsencrypt via port 80?

That’s required to check the OCSP status.

All other websites which not issued by letsencrypt can be visited success, for example https://cn.bing.com/ https://www.google.com/ https://www.baidu.com/ http://www.soso.com/

all websites which issued by letsencrypt cannot be visited from application that use windows browser control.

And before April all websites which issued by letsencrypt can be visited from application that use windows browser control.

so I think it’s a incompatibility issue which happened at April, whatever use CRL or OCSP

Have you tried to check that browser then?
Or, try to find a newly issued certificate (that isn’t from Let’s Encrypt)?

https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

Looking up the error message online and it seems like this is related to OCSP… https://answers.microsoft.com/en-us/windows/forum/all/the-websites-security-certificate-is-not-secure/d119013f-9908-43f3-a6af-8a118a665ebc

I think I found that reason , China great firewall forbidden ocsp.int-x3.letsencrypt.org .
that’s very sad , I will pay on certificate by change let’s encrypt .
First ,that applications use windows browser control will visite ocsp.int-x3.letsencrypt.org:80 , but in china now , ocsp.int-x3.letsencrypt.org has been forbidden .
so the applications can not trust the certificate issed by letsencrypt.

I think I found that reason , China great firewall forbidden ocsp.int-x3.letsencrypt.org on April.
that’s very sad , I will pay on certificate by change let’s encrypt .
First ,that applications use windows browser control will visite ocsp.int-x3.letsencrypt.org:80 , but in china now , ocsp.int-x3.letsencrypt.org has been forbidden .
so the applications can not trust the certificate issed by letsencrypt.

1 Like

I think I found that reason , China great firewall forbidden ocsp.int-x3.letsencrypt.org .
that’s very sad , I will pay on certificate by change let’s encrypt .
First ,that applications use windows browser control will visite ocsp.int-x3.letsencrypt.org:80 , but in china now , ocsp.int-x3.letsencrypt.org has been forbidden .
so the applications can not trust the certificate issed by letsencrypt.

Oh, that’s bad. But thanks for that information.

Maybe letsencrypt can change OCSP domain name to pass china DNS pollution? Muti OCSP domains is better solution.
In china ,a large number sites use letsencrypt, pls give a help.

Maybe letsencrypt can change OCSP domain name to pass china DNS pollution? Muti OCSP domains is better solution.
In china ,a large number sites use letsencrypt, pls give a help.

First of all, it’s just like GitHub’s usercontent domain… (But it’s Akamai’s fault, isn’t it?)


I think this is something Akamai might already working on… As the article said, the issue is on A711, not on Let’s Encrypt.

@lestaff: Some users in China mainland are unable to use Let’s Encrypt’s OCSP endpoint (due to something? in Akamai’s end). Is there anyway to bypass it?

Thank you

2 Likes

yes, the artic also trace this case of china greatefirewall forbid a771 domain.
https://mp.weixin.qq.com/s/SaSVtXBz_5GRD3wFIf0NGw

OCSP stapling, and servers fetching OCSP responses over Tor?

OCSP stapling is a way, but not convenient and stable.

It’s a lot better, though.

With OCSP stapling you only need the server to reach the OCSP responder, not every client.

Thanks for your suggestion, I have set ssl stapling on to bypass the letsencrypt OCSP dns pollution in china .
I use nginx , I hope ssl stapling strong, not have DDOS bug , I don’t know the nginx whether cache or not cache the response from OCSP server.

dig ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50484
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org. IN A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 3746 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 20069 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 35 IN A 93.46.8.89

;; Query time: 0 msec
;; SERVER: 100.100.2.138#53(100.100.2.138)
;; WHEN: Sat Apr 11 10:19:44 2020
;; MSG SIZE rcvd: 147

china great fire wall only pollute a771.dscq.akamai.net , resolve to rand fake IP address.

the old OCSP domain ocsp.int-x2.letsencrypt.org resolve right.

so , letsencrypt can change ocsp.int-x3.letsencrypt.org to another cname, Its easy solution way.

OCSP stapling will indeed help, however there are also servers in China that uses Let’s Encrypt certificate. Those servers are certainly not able to access Let’s Encrypt OCSP endpoints, which means the stapling will only work for visitors, not website owners.

1 Like

I honestly don’t think this is easy (if possible) … Imagine you are asking CloudFlare to switch their main website to Akamai because “Cloudflare has some bad IP ranges”.