Identrust OCSP producing errors

hannob · April 25, 2020, 7:53am

It looks to me the OCSP server of Identrust is down.

Usually few clients do OCSP checks of the intermediate cert, thus this probably doesn’t show up very often. I noticed because I have some monitoring set up using gnutls-cli with ocsp checks to verify if certificates are okay.

You can check e.g. with:
gnutls-cli --ocsp letsencrypt.org:443

This is what I get:
Connecting to OCSP server: isrg.trustid.ocsp.identrust.com…
Resolving ‘isrg.trustid.ocsp.identrust.com:80’…
Connecting to ‘2a02:26f0:3100::1735:2a09:80’…
importing response: ASN1 parser: Error in TAG.

(There’s a curious behavior of gnutls that it does not check the ocsp of the intermediate if the server runs ocsp stapling, so this only reproduces on servers without stapling.)

_az · April 25, 2020, 8:07am

It sure seems that way:

$ openssl ocsp -no_nonce -url "http://isrg.trustid.ocsp.identrust.com" \
-issuer dst.pem -cert chain.pem  -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 6FF4684D4312D24862819CC02B3D472C1D8A2FA6
          Issuer Key Hash: C4A7B1A47B2C71FADBE14B9075FFC41560858910
          Serial Number: 0A0141420000015385736A0B85ECA708
Error querying OCSP responder
140671078831424:error:27076072:OCSP routines:parse_http_line1:server response error:../crypto/ocsp/ocsp_ht.c:260:Code=503,Reason=Service Unavailable

Code=503,Reason=Service Unavailable

At least, in 4-7 months from now, we'll all be on the ISRG root and there will only be one OCSP server to worry about .

Osiris · April 25, 2020, 8:29am

That soon?

_az · April 25, 2020, 8:31am

It was gonna happen last year but got delayed because of (I think) Android.

Osiris · April 25, 2020, 8:37am

@_az Thanks.

Perhaps @lestaff needs to know about this, so they can contact IdenTrust.

jsha · April 25, 2020, 4:41pm

Thanks for the report @hannob, and thanks for the ping @Osiris. Our team is aware of the issue and has been working with IdenTrust to help resolve it.

hannob · April 30, 2020, 12:22pm

It seems this works again now, but may I propose that Let’s Encrypt adds some monitoring of the Identrust OCSP?

system · May 30, 2020, 12:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.