Failed OCSP Requests

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

My client application is attempting to do OCSP cert validation via a Cisco WSA Proxy server (not sure if relevant or not) and the proxy server and client application are not receiving responses from the lets encrypt ocsp responder. (proven with wireshark captures on client PC, and with tcpdump from the proxy server).

This is causing the client application to fail TLS handshake with the site.

Did some more digging and found what the answer is. We were blocking the http requests at our firewall due to a GeoBlocking policy. However, this is not something we can unblock, nor is there a simple fix as the OCSP is hosted by akamai. We are occasionally getting non-US based IPs from akamai’s global DNS, when this occurs we block the request.

Can letsencrypt setup their akamai service to only respond with US based IPs when queried from US based sources?

Non-authoritative answer:
Addresses: 2600:1404:1400:1::ace8:5a0

2600:1404:1400:1::ace8:5a0 is in Dallas and is in Atlanta from my perspective.

Sure, but I’ve also seen all these IPs come across as well. And others that I havnt written down. <<<< this pair being the most common… <<< all these come back as Germany / Netherlands/ UK and are geoblocked. <<< VA, MA, GA <<< IL, MA, GA <<< not geo blocked. GA or MA

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.