All letsencrypt certificate show revocation erro information

I think I found that reason , China great firewall forbidden ocsp.int-x3.letsencrypt.org on April.
that’s very sad , I will pay on certificate by change let’s encrypt .
First ,that applications use windows browser control will visite ocsp.int-x3.letsencrypt.org:80 , but in china now , ocsp.int-x3.letsencrypt.org has been forbidden .
so the applications can not trust the certificate issed by letsencrypt.

1 Like

I think I found that reason , China great firewall forbidden ocsp.int-x3.letsencrypt.org .
that’s very sad , I will pay on certificate by change let’s encrypt .
First ,that applications use windows browser control will visite ocsp.int-x3.letsencrypt.org:80 , but in china now , ocsp.int-x3.letsencrypt.org has been forbidden .
so the applications can not trust the certificate issed by letsencrypt.

Oh, that’s bad. But thanks for that information.

Maybe letsencrypt can change OCSP domain name to pass china DNS pollution? Muti OCSP domains is better solution.
In china ,a large number sites use letsencrypt, pls give a help.

Maybe letsencrypt can change OCSP domain name to pass china DNS pollution? Muti OCSP domains is better solution.
In china ,a large number sites use letsencrypt, pls give a help.

First of all, it’s just like GitHub’s usercontent domain… (But it’s Akamai’s fault, isn’t it?)


I think this is something Akamai might already working on… As the article said, the issue is on A711, not on Let’s Encrypt.

@lestaff: Some users in China mainland are unable to use Let’s Encrypt’s OCSP endpoint (due to something? in Akamai’s end). Is there anyway to bypass it?

Thank you

2 Likes

yes, the artic also trace this case of china greatefirewall forbid a771 domain.
https://mp.weixin.qq.com/s/SaSVtXBz_5GRD3wFIf0NGw

OCSP stapling, and servers fetching OCSP responses over Tor?

OCSP stapling is a way, but not convenient and stable.

It’s a lot better, though.

With OCSP stapling you only need the server to reach the OCSP responder, not every client.

Thanks for your suggestion, I have set ssl stapling on to bypass the letsencrypt OCSP dns pollution in china .
I use nginx , I hope ssl stapling strong, not have DDOS bug , I don’t know the nginx whether cache or not cache the response from OCSP server.

dig ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50484
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org. IN A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 3746 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 20069 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 35 IN A 93.46.8.89

;; Query time: 0 msec
;; SERVER: 100.100.2.138#53(100.100.2.138)
;; WHEN: Sat Apr 11 10:19:44 2020
;; MSG SIZE rcvd: 147

china great fire wall only pollute a771.dscq.akamai.net , resolve to rand fake IP address.

the old OCSP domain ocsp.int-x2.letsencrypt.org resolve right.

so , letsencrypt can change ocsp.int-x3.letsencrypt.org to another cname, Its easy solution way.

OCSP stapling will indeed help, however there are also servers in China that uses Let’s Encrypt certificate. Those servers are certainly not able to access Let’s Encrypt OCSP endpoints, which means the stapling will only work for visitors, not website owners.

1 Like

I honestly don’t think this is easy (if possible) … Imagine you are asking CloudFlare to switch their main website to Akamai because “Cloudflare has some bad IP ranges”.

dig @8.8.8.8 ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @8.8.8.8 ocsp.int-x3.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29551
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org. IN A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 5765 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 13106 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 19 IN A 23.59.247.56
a771.dscq.akamai.net. 19 IN A 23.59.247.98

;; Query time: 82 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 11 16:0

the google dns resolve is right , only dns pollution , not IP forbidden.

you can choose a resolver for nginx to get the ocsp responses: https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver

so you can use something like:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844];

and use ocsp stapling and google public dns (add others as you want them).

3 Likes

I had some experiences about PRC GFW. I can tell your method does not work. First of all, Google is blocked in PRC, but the problem still exists even you choose Cloudflare’s 1.1.1.1.

It’s because there is deep packet filtering in PRC internet backbone (GFW), that is, the GFW hijacks internet traffic and pollute DNS replies, drop packets, and even filter traffic by scanning keywords in network packets. All sort of imaginable and unimaginable deep packet scanning techniques are in place, just to annoy you to surf the “real” internet.

How about VPN? They put statistical packet analysis in place and drops VPN packets…

1 Like

Yes, I wasn’t sure about this, but according to OP works (somehow).

thanks for your suggestion, I get SSL stapling file on schedule at USA host .
it’s a better solution

Its so sad, I have to using paid SSL instead of letsencrypt. Many customers open our app very slow with iphone device. OCSP stapling is not a good solution way.