Cannot generate an OCSP anymore

Help
1

My domain is: sdxlive.com

I ran this command:
openssl ocsp -no_nonce -issuer /lets_encrypt/lets-encrypt-r3-cross-signed-x1.pem -cert "$server_certificate_filename" -url http://r11.o.lencr.org -respout "$server_certificate_ocsp"

It produced this output:
Responder Error: unauthorized (6)

The operating system my web server runs on is (include version):
Linux 6.10.0-15-generic
openssl 3.2.2-1ubuntu1

I can login to a root shell on my machine (yes or no, or I don't know):
yes

There used to be no issue with the same command, no later than a few days ago:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: Jul 30 23:32:00 2024 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
Serial Number: 03DEC02DA0AEC5D0E5F92CD82086CE50067A
Cert Status: good
This Update: Jul 30 23:32:00 2024 GMT
Next Update: Aug 6 23:31:58 2024 GMT

In the meantime, I have issued a new certificate on the first of august. What is going on?

2

if you set issuer as r3 but call r11 ocsp endpoint it'd be expected to fail, because r11.o.lencr.org would be signed by r11 , not r3's key

3 Likes
3

Actually, the url is the result of the call:
openssl x509 -in "$server_certificate_filename" -noout -ocsp_uri
http://r11.o.lencr.org

4

I have just realized that many intermediate CAs including R3 have just been retired. That's what heppened.

1 Like
5

You should probably subscribe to the postings in the API section of this forum. That is where specifics of changes are posted.

The change to intermediates was announced there in April (link here) and originally posted on the website in March

There was also a recent announcement on the website about long-term OCSP plans you may want to keep track of

5 Likes
6

You already used the URL for the R11 intermediate, so that must have been a hint, right? Unless the R3/R11 terminology wasn't clear to you to that extent :slight_smile:

Note that LE uses R10 and R11 at random to issue certificates, so you shouldn't hardcode the issuer certificate, nor the OSCP URL.

3 Likes
7

Considering the fact that letsencrypt will end OCSP service, I have also dropped its usage.

8

If that OCSP check was part of some custom Acme client you might want to look at this ARI announcement

Do not let the title of the link fool you. It is about adding support for the latest draft version and dropping the initial one.

4 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.