Hello, I wonder if someone can shed me light on this issue; after getting Ruby Gem dependencies for MongoDB upgraded for Mongoid from 7.1.5 to 7.3.1, I am starting seeing the error as shown below:
MONGODB | TLS certificate of '{server_name}' could not be definitively verified via OCSP: For responders http://r3.o.lencr.org with a timeout of 5 seconds: OCSP response from http://r3.o.lencr.org is 6: unauthorized
Below is the configuration used which had never logged any warning prior to upgrade:
This always happen whenever the job kicks off, which is scheduled for every 10 mins.
This is a TLS/SSL certificate used by mongoDB when option ssl-verify is set to true and one of it is pointing to composeDB, i.e. : {our_server_domain}.composedb.com.
Again, this was never logged prior to the upgrade. The app functions without any issue, but what worries me is the unauthorized concern.
You are querying the ocsp responder every 10 minutes instead of every few days? You're supposed to save the response and the response itself will tell you when to fetch a new one.
The responder's firewall might have blocked you. @lestaff?
Timestamps would be very helpful in trying to debug this from our side. (Timestamps and hostnames would be even better.)
The most common reason for Unauthorized responses tends to be improperly-formatted requests. I can imagine (and have long ago seen) bugs where OCSP stapling doesn't get the intermediate correct on the first try, which would present like this, but I mean this is just throwing darts.
The issue was started this morning: 02/21 07:30am EDT (US Eastern).
This warning started showing up after we deployed our changes with updated components of: mongoid from 7.1.5 to 7.3.1 along with others: rack (7.6.4 to 7.7.0), puma (5.0.4 to 5.6.2).
If you are able to DM me specific host names and timestamps, that would help. Overall view of that hour looks good without much error noise, but obviously there’s something weird.
Can I reach you via slack or what would be the best way to reach you at? I got some findings from MongoDB changeset here. Do let me know the best way to DM you. Thanks.
The standard way to debug problems like this is deploying a patch to the driver that adds extra logging and sets up some debugger breakpoints. Based on the results of that, I would probably file a ticket with MongoDB to at-least clarify those messages.
I'm not suggesting this problem isn't due to LetsEncrypt or some sort of network conditions - but Mongo has never been the most reliable software project/company, and you're dealing with something that is most likely a longstanding issue in the client (or your configuration) that was only surfaced by an improvement to their logging practices.
This situation just looks to me like it is most-likely caused by a mix of (i) bugs, (ii) lack of documentation, and (iii) lack of developer hooks in the MongoDB driver.