Invalid OCSP response for : no matching responder certificate could be found

Dear Let’s Encrypt community,

when I try to run certbot-auto renew --dry-run

I get the following error:
Invalid OCSP response for /etc/letsencrypt/archive/ov01/cert.pem: no matching responder certificate could be found.

Is there a way to fix this error?

Thank you.

Best Regards.

Which CA issued that certificate? What’s are the actual domains on it?

The CA is sectigo.

The domain is correct and the certificate is working.

What could be the issue? Is there documentation about this issue?

If you shared the domain name, we could perform an OCSP query for that certificate against the Sectigo responder, and check whether there was an interoperability problem with Certbot’s OCSP client.

Otherwise, you need to ask Sectigo.

Can i perform an OCSP query on my own?

Well, sure. But I’m not sure it’s going to help you unless you’re also going to dig into Certbot’s source code to investigate why it’s happening.

To do an OCSP query, you need to extract the OCSP URL from the certificate:

openssl x509 -in cert.pem -noout -text | grep -i ocsp
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org

and then use that URL to perform the query:

openssl ocsp -no_nonce -url "http://ocsp.int-x3.letsencrypt.org" -issuer chain.pem -cert cert.pem  -text

I did it.

It seems fine:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Cert Status: good
Response verify OK

No visible error.

Indeed, which is why I suspected the blame is with Certbot’s OCSP client.

Could you at least please share what the issuer of your certificate is? That way, I can just try reproduce this using some other random Sectigo-issued certificate.

openssl x509 -in chain.pem -noout -subject -serial

subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA

serial=137D539CAA7C31A9A433701968847A8D

Thanks, I will try to reproduce it.

1 Like

OK, easy enough to reproduce.

I think that Sectigo’s OCSP response is correct, it’s just that Certbot’s OCSP client does not fully implement the OCSP standard.

In a Basic Response, the ResponderID may either be a name or a public key hash. Certbot only supports responses with a name, but Sectigo uses the other method.

I have filed an issue with the Certbot project (https://github.com/certbot/certbot/issues/7986), but for now, it’s worth noting that the issue is non-critical - it does not affect renewal or your ability to issue certificates. It just means that Certbot will, for now, fail to check whether your certificate is revoked.

3 Likes

I understand.

Thank you a lot :innocent: :innocent:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.