How to solve OCSP_check_validity() error?


#1

On my server I have an API with hundreds requests per second and every day I get an error in my Nginx error.log:
OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

I tried to disable ssl_stapling but it does not work.

My web server is: nginx/1.14.0 (latest stable)

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (xenial)

My hosting provider is: OVH.com

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no


#2

Is your server’s date correct? Do you have an ntp service running?


#3

Date is correct but I have no ntp service


#4

What does this show:

timedatectl status

and for comparison:

curl -i letsencrypt.org 2>&1 | grep Date

The only other thing I can think of that would cause this is if the OCSP service was actually serving stale results, but we’d need to know what the domain is and where you’re querying from to figure that part out. That did happen in the past, but it was widely reported by many users.