hannob
April 25, 2020, 7:53am
1
It looks to me the OCSP server of Identrust is down.
Usually few clients do OCSP checks of the intermediate cert, thus this probably doesn’t show up very often. I noticed because I have some monitoring set up using gnutls-cli with ocsp checks to verify if certificates are okay.
You can check e.g. with:
gnutls-cli --ocsp letsencrypt.org:443
This is what I get:
Connecting to OCSP server: isrg.trustid.ocsp.identrust.com …
Resolving ‘isrg.trustid.ocsp.identrust.com:80 ’…
Connecting to ‘2a02:26f0:3100::1735:2a09:80’…
importing response: ASN1 parser: Error in TAG.
(There’s a curious behavior of gnutls that it does not check the ocsp of the intermediate if the server runs ocsp stapling, so this only reproduces on servers without stapling.)
1 Like
_az
April 25, 2020, 8:07am
2
It sure seems that way:
$ openssl ocsp -no_nonce -url "http://isrg.trustid.ocsp.identrust.com" \
-issuer dst.pem -cert chain.pem -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 6FF4684D4312D24862819CC02B3D472C1D8A2FA6
Issuer Key Hash: C4A7B1A47B2C71FADBE14B9075FFC41560858910
Serial Number: 0A0141420000015385736A0B85ECA708
Error querying OCSP responder
140671078831424:error:27076072:OCSP routines:parse_http_line1:server response error:../crypto/ocsp/ocsp_ht.c:260:Code=503,Reason=Service Unavailable
Code=503,Reason=Service Unavailable
At least, in 4-7 months from now, we'll all be on the ISRG root and there will only be one OCSP server to worry about .
2 Likes
_az
April 25, 2020, 8:31am
4
It was gonna happen last year but got delayed because of (I think) Android.
3 Likes
Osiris
April 25, 2020, 8:37am
5
@_az Thanks.
Perhaps @lestaff needs to know about this, so they can contact IdenTrust.
4 Likes
jsha
April 25, 2020, 4:41pm
6
Thanks for the report @hannob , and thanks for the ping @Osiris . Our team is aware of the issue and has been working with IdenTrust to help resolve it.
5 Likes
hannob
April 30, 2020, 12:22pm
7
It seems this works again now, but may I propose that Let’s Encrypt adds some monitoring of the Identrust OCSP?
2 Likes
system
Closed
May 30, 2020, 12:22pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.