Invalid OCSP response nextUpdate is in the past

swang-ccor · June 11, 2019, 9:03pm

Hi all

Many thanks to your help in advance.

I still have issues with auto renew SSL on our site.
Here is the command run to renew existing SSL.

sudo -H /opt/letsencrypt/letsencrypt-auto certonly --standalone --renew-by-default -d www.c
-cor.com.au -d c-cor.com.au -dmy.c-cor.com.au -d spec.c-cor.com.au >>/home/ec2-user/log/let
sencrypt-auto-update.log

Output is:
[ec2-user@ip-172-31-21-249 letsencrypt]$ /bin/sh /home/ec2-user/bin/renewSSLscript.sh
Stopping httpd: [ OK ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for c-cor.com.au
http-01 challenge for my.c-cor.com.au
http-01 challenge for spec.c-cor.com.au
http-01 challenge for www.c-cor.com.au
Waiting for verification…
Cleaning up challenges
Starting httpd:

My domain is:www.c-cor.com.au

I ran this command:
sudo ./certbot-auto certificates

It produced this output:
Invalid OCSP response for /etc/letsencrypt/live/my.c-cor.com.au/cert.pem: param nextUpdate is in the past…
Invalid OCSP response for /etc/letsencrypt/live/www.c-cor.com.au/cert.pem: param nextUpdate is in the past…

Found the following certs:
Certificate Name: c-cor.com.au
Domains: www.c-cor.com.au c-cor.com.au
Expiry Date: 2019-07-06 21:58:55+00:00 (VALID: 25 days)
Certificate Path: /etc/letsencrypt/live/c-cor.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/c-cor.com.au/privkey.pem
Certificate Name: my.c-cor.com.au
Domains: my.c-cor.com.au
Expiry Date: 2019-04-27 23:18:39+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/my.c-cor.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/my.c-cor.com.au/privkey.pem
Certificate Name: spec.c-cor.com.au
Domains: www.c-cor.com.au c-cor.com.au my.c-cor.com.au spec.c-cor.com.au
Expiry Date: 2019-09-09 19:49:09+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/spec.c-cor.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/spec.c-cor.com.au/privkey.pem
Certificate Name: www.c-cor.com.au
Domains: www.c-cor.com.au
Expiry Date: 2019-04-27 23:28:00+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.c-cor.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.c-cor.com.au/privkey.pem

My web server is (include version): Apache 2.4.39

The operating system my web server runs on is (include version):

[ec2-user@ip-172-31-21-249 letsencrypt]$ cat /etc/os-release
NAME=“Amazon Linux AMI”
VERSION=“2018.03”
ID=“amzn”
ID_LIKE=“rhel fedora”
VERSION_ID=“2018.03”
PRETTY_NAME=“Amazon Linux AMI 2018.03”
ANSI_COLOR=“0;33”
CPE_NAME=“cpe:/o:amazon:linux:2018.03:ga”
HOME_URL=“http://aws.amazon.com/amazon-linux-ami/”

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

ezekiel · June 11, 2019, 9:48pm

Hello @swang-ccor,

Check the EC2 instance system clock. Is the clock being synchronized via NTP?

_az · June 11, 2019, 10:03pm

I’ve been getting similar errors since ~0.35.0 (though not sure exactly which release).

My system clock is correct.

My observation is that the error only affects expired certificates.

I assume Let’s Encrypt OCSP signer does not create new signatures for expired certificates, which might explain why nextUpdate would be in the past for an expired certificate.

Perhaps the issue is that Certbot is trying to do OCSP checks for expired certificates in the first place?

mnordhoff · June 12, 2019, 8:08am

Pure speculation:

Could there have been a change Let’s Encrypt-side? For example, if the CDN used to immediately purge OCSP responses for expired certificates, and serve “unknown”, and now they sometimes cache and serve expired responses?

(If so, what do the BRs say should happen?)

Edit: Certbot also got a new OCSP implementation recently. (Using Python, if library support is available, instead of executing “openssl ocsp”.) So some of the corner cases and error messages could’ve changed.

swang-ccor · June 12, 2019, 11:50am

Thanks for your reply @ezekiel,

After checking with ntp which is correct, I am still getting same error message.

[ec2-user@ip-172-31-21-249 letsencrypt]$ chronyc sources -v
210 Number of sources = 5

.-- Source mode ‘^’ = server, ‘=’ = peer, ‘#’ = local clock.
/ .- Source state ‘*’ = current synced, ‘+’ = combined , ‘-’ = not combined,
| / ‘?’ = unreachable, ‘x’ = time may be in error, ‘~’ = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | |
MS Name/IP address Stratum Poll Reach LastRx Last sample

^* 169.254.169.123 3 6 377 11 -72us[ -75us] +/- 506us
^- ntp.2000cn.com.au 1 6 377 13 +2100us[+2097us] +/- 26ms
^- cosima.470n.act.tsgnl.co 2 6 377 10 +592us[ +592us] +/- 48ms
^- eth817.qld.adsl.internod> 2 6 377 9 -639us[ -639us] +/- 36ms
^- eth1733.vic.adsl.interno> 1 6 377 13 +3391us[+3388us] +/- 11ms
[ec2-user@ip-172-31-21-249 letsencrypt]$ sudo ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Invalid OCSP response for /etc/letsencrypt/live/my.c-cor.com.au/cert.pem: param nextUpdate is in the past…
Invalid OCSP response for /etc/letsencrypt/live/www.c-cor.com.au/cert.pem: param nextUpdate is in the past…

jsha · June 12, 2019, 9:39pm

Yep, @_az's got it exactly right here. We don't update OCSP for expired certificates. Arguably we could make that clearer by returning "unauthorized" instead of a stale OCSP response. But I don't think any behavior has changed recently.

@bmw can you confirm whether Certbot requests OCSP for expired certificates? If so, could you file an issue to fix?

@swang-ccor, to summarize the issue for you: It looks like this is a bug in Certbot, but it is harmless and you can ignore the error message if you like.

bmw · June 12, 2019, 10:29pm

It does. Thanks for the ping. I've created Don't send OCSP requests for expired certificates · Issue #7152 · certbot/certbot · GitHub.

swang-ccor · June 13, 2019, 8:18am

Thanks all @bmw, @jsha, @mnordhoff, @_az, @ezekiel for the prompt and helpful responses.
It is such a friendly and wonderful forum user group.

Many thanks.
Steve

jsha · June 13, 2019, 7:12pm

Thanks for the kind words, @swang-ccor! It really makes my day to hear that you’ve found our forum to be friendly and wonderful.

system · July 13, 2019, 7:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.