Identrust OCSP producing errors

It looks to me the OCSP server of Identrust is down.

Usually few clients do OCSP checks of the intermediate cert, thus this probably doesn’t show up very often. I noticed because I have some monitoring set up using gnutls-cli with ocsp checks to verify if certificates are okay.

You can check e.g. with:
gnutls-cli --ocsp letsencrypt.org:443

This is what I get:
Connecting to OCSP server: isrg.trustid.ocsp.identrust.com
Resolving ‘isrg.trustid.ocsp.identrust.com:80’…
Connecting to ‘2a02:26f0:3100::1735:2a09:80’…
importing response: ASN1 parser: Error in TAG.

(There’s a curious behavior of gnutls that it does not check the ocsp of the intermediate if the server runs ocsp stapling, so this only reproduces on servers without stapling.)

1 Like

It sure seems that way:

$ openssl ocsp -no_nonce -url "http://isrg.trustid.ocsp.identrust.com" \
-issuer dst.pem -cert chain.pem  -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 6FF4684D4312D24862819CC02B3D472C1D8A2FA6
          Issuer Key Hash: C4A7B1A47B2C71FADBE14B9075FFC41560858910
          Serial Number: 0A0141420000015385736A0B85ECA708
Error querying OCSP responder
140671078831424:error:27076072:OCSP routines:parse_http_line1:server response error:../crypto/ocsp/ocsp_ht.c:260:Code=503,Reason=Service Unavailable

Code=503,Reason=Service Unavailable

At least, in 4-7 months from now, we’ll all be on the ISRG root and there will only be one OCSP server to worry about :slight_smile: .

2 Likes

That soon?  

1 Like

It was gonna happen last year but got delayed because of (I think) Android.

3 Likes

@_az Thanks.


Perhaps @lestaff needs to know about this, so they can contact IdenTrust.

4 Likes

Thanks for the report @hannob, and thanks for the ping @Osiris. Our team is aware of the issue and has been working with IdenTrust to help resolve it.

5 Likes

It seems this works again now, but may I propose that Let’s Encrypt adds some monitoring of the Identrust OCSP?

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.