HAProxy SSL Stapling Wildcard

Greetings to all.

I have an installation of HAProxy and am getting a certificate error when I attempt to load my website in Firefox, all other websites are working but this is affecting traffic (as anyone using Firefox can't visit the site). This error appears to be related to OCSP stapling.

I have tried many ways to generate the OCSP request and I am always getting "Responder Error: unauthorized (6)". I have read that this generally means the OCSP response isn't from the same URI that generated the certificate, but I've tried them all, and don't seem to be getting anywhere.

Here is my most recent attempt, I've removed my domain for obvious reasons.

openssl ocsp -no_nonce -respout /etc/haproxy/ssl/mydomain.pem.ocsp -issuer /etc/letsencrypt/live/mydomain.com/chain.pem -verify_other /etc/letsencrypt/live/mydomain.com/chain.pem -cert /etc/letsencrypt/live/mydomain.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org/ -header host=ocsp.int-x3.letsencrypt.org

When my certificate was generated, the flags "--must-staple --staple-ocsp" where used. Could that be adding to my issues?

Any help would be greatly appreciated.

int-x3 is the OCSP endpoint for the old issuer (Let's Encrypt Authority X3).

Let's Encrypt recently moved to a new issuer (R3) and this issuer has a different OCSP endpoint. You can find the correct endpoint for any certificate using the below command:

openssl x509 -in /etc/letsencrypt/live/mydomain.com/cert.pem -noout -ocsp_uri

(Edit: apparently openssl x509 supports -ocsp_uri !)


Wow. I've been trying to fix this for the better part of a week by myself and in 3 minutes you solved it. Thanks!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.