Failed to get ocsp stapling no certificate

Everything has been running fine for a long time and all other domains seem to be working as far as I can see but I have this single domain

carolinechapron.com

which keeps producing this in the logs and also no certificate is being generated

2019/11/21 17:17:06 [error] 23649#23649: 11446 [lua] ssl_certificate.lua:255: set_response_cert(): auto-ssl: failed to set ocsp stapling for www.carolinechapron.com - continuing anyway - failed to get ocsp response: failed to validate OCSP response (http://ocsp.int-x3.letsencrypt.org): OCSP response not successful (6: unauthorized), context: ssl_certificate_by_lua, client: 86.162.112.29, server: 0.0.0.0:443

We are running lua-resty-auto-ssl to auto generate the certs, this is all running in AWS on an Amazon Linx ami.

I have pinged the http://ocsp.int-x3.letsencrypt.org from the server and returns 200 ok fine, I cannot see why this one domain will not work.

For this particular domain on a DNS lookup no records where being returned for some time, could this be what caused of the issue? if so how can I get a certificate now?

Appreciate any help.

1 Like

Hi @phil118

that’s simple. There is an older check, ~~30 minutes old - https://check-your-website.server-daten.de/?q=carolinechapron.com

Both certificates

CN=carolinechapron.com
	21.08.2019
	19.11.2019
2 days expired	carolinechapron.com - 1 entry

CN=www.carolinechapron.com
	21.08.2019
	19.11.2019
2 days expired	www.carolinechapron.com - 1 entry

are expired. Then the OCSP check doesn’t work (that’s new).

So change your client usage to skip that OCSP-check.

2 Likes

Hi @phil118,

Welcome to the community forum!

Like @JuergenAuer stated, you’ll need to renew your certificate.

$ echo | openssl s_client -connect "www.carolinechapron.com":443 -servername "www.carolinechapron.com" -verify_hostname "www.carolinechapron.com" 2>/dev/null | openssl x509 -noout -startdate -enddate
notBefore=Aug 21 10:19:47 2019 GMT
notAfter=Nov 19 10:19:47 2019 GMT
1 Like

Thanks for the speedy reply! Deleting the expired certificate form the server solved the issue.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.