HELP: How to stop letsencrypt OCSP requests when using the google cloud load balancer

Hi all.

I need urgent help with stopping the letsencrypt.org OCSP request be sent when using the google cloud load balancer.

I have configured my NGINX server successful to make OCSP stapling as written and recommended in the letsencrypt documentation.

See Log for Proof at the end!

Problem is that when i put my server behind the google cloud load balancer
then the OCSP stapling does not work anymore and the ocsp request are still sent to letsencrypt.org.

How can i solve this Problem with OCSP stapling with the google load balancer ?
I searched a lot on the Internet but there is zero information how this can be done !!!

My question if there is no possibility to get OCSP stapling on the google cloud load balancer and it looks like there is none is it then possible to create my own SSL Certificate on the Webserver and sign it using the letsencrypt certiifacate ?
Will this then work in the webbrowser as a replacement ? Could this be a solution at least that the Request are not sent anymore to letsencrypt.org but instead to my server when using the google Cloud load balancer ?

And if yes how can this be done step by step when there is no possibility to get the google cloud load balancer make OCSP stapling?

Is there somebody who has same setup with letsenecrypt certificate ocsp stapling and google cloud load balancer and how do you solve this problem ?

Please Help me with this OCSP stapling problem when using the google cloud load balancer !

Thank you advance !
Best regards Romeo

Log of my Server that does successful OCSP stapling without the google cloud load balancer:

CONNECTED(00000005)
OCSP response:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
Produced At: May 28 01:10:00 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 04638B3DBBDB426484E25D816B31BEB0F560
Cert Status: good
This Update: May 28 01:00:00 2020 GMT
Next Update: Jun 4 01:00:00 2020 GMT

Signature Algorithm: sha256WithRSAEncryption
     4d:c4:c4:6c:32:53:61:04:6f:e9:8e:ca:cd:7e:29:44:b2:1a:
     bc:82:fa:88:6e:00:48:3c:73:ff:bb:de:9a:1f:b6:bb:dd:01:
     e6:06:b0:43:ab:e2:0b:39:b1:ef:70:f0:0b:6f:53:bf:fe:6a:
     80:c8:34:b6:ba:e8:41:8d:8f:f5:d8:79:2c:dc:83:f1:f4:2d:
     bb:41:95:d0:12:70:8e:5f:0f:0c:36:19:25:8d:11:32:ed:58:
     1c:ea:0d:0f:75:27:07:27:2c:f5:ae:e0:5e:27:32:4f:a4:c9:
     90:6b:f3:41:47:7d:c5:34:14:dc:02:05:a3:13:03:25:ee:36:
     5d:77:70:c4:fe:15:42:71:05:25:66:9e:57:4f:18:0c:d2:66:
     b6:78:4e:b9:33:28:c7:4e:54:25:21:f3:23:85:a3:7b:80:b8:
     0a:b1:46:52:4f:59:77:e1:53:e1:31:f6:2e:9d:c7:cd:9c:d8:
     60:d2:40:8c:97:52:f6:ef:f2:91:c1:06:59:1b:49:55:13:e7:
     fb:09:b5:d4:0e:c6:89:31:7f:fc:98:07:91:f0:f9:1c:9c:7f:
     44:ce:a2:db:70:93:58:d5:e6:1b:a2:90:3c:e9:55:c5:5b:ff:
     aa:19:a2:22:14:c1:09:6f:0a:25:dd:18:6b:2a:cd:2e:17:c3:
     7b:ae:42:e5

======================================

Log of the Server running behind the google cloud load balancer that clearly show that OCSP stapling is not working when using the balancer and all requests are sent to letsencrypt.org which is bad !

CONNECTED(00000005)
OCSP response: no response sent

Hi @LinuXperia

that’s not possible. That’s how OCSP works.

If it would be able to stop such OCSP queries, OCSP would be completely broken.

If you don’t want that, you shouldn’t use certificates with OCSP.

Or you have to change your setup so your configuration supports a server with OCSP stapling.

That’s expected. If you don’t want that:

  • your configuration is wrong (I don’t use the google cloud load balancer, so I have no idea if this is a config problem) (or)
  • don’t use the google cloud load balancer
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.