Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
*.visitnow.org
My client application is attempting to do OCSP cert validation via a Cisco WSA Proxy server (not sure if relevant or not) and the proxy server and client application are not receiving responses from the lets encrypt ocsp responder. (proven with wireshark captures on client PC, and with tcpdump from the proxy server).
Did some more digging and found what the answer is. We were blocking the http requests at our firewall due to a GeoBlocking policy. However, this is not something we can unblock, nor is there a simple fix as the OCSP is hosted by akamai. We are occasionally getting non-US based IPs from akamai’s global DNS, when this occurs we block the request.
Can letsencrypt setup their akamai service to only respond with US based IPs when queried from US based sources?