Is OCSP responder broken?


#1

I noticed that my server stopped sending stapled OCSP responses.
A manual request also did not work.

$ openssl ocsp -no_nonce -issuer chain.pem -cert cert_rsa.pem -text -url http://ocsp.int-x3.letsencrypt.org
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 03B5AC99A8DAA340735BFF0FCC987FB366CA
Error querying OCSP responder
140447121786520:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request

The trick with a cert from staging server also did not work.

   $ openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -url http://ocsp.stg-int-x1.letsencrypt.org -text 
    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: C29C130A07D1FF36475F8766B701C13205DF6527
              Issuer Key Hash: C0CC0346B95820CC5C7270F3E12ECB20A6F5683A
              Serial Number: FAC7913BD6FE6B3A7BC6F117C48AD7AFCDCB
    Error querying OCSP responder
    139893942929048:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request

#2

Could you invoke the OCSP query in this way please:

openssl ocsp -verify_other chain.pem \
-issuer chain.pem -cert cert.pem \
-text -url http://ocsp.int-x3.letsencrypt.org \
-header "Host" "ocsp.int-x3.letsencrypt.org"

#3

Thanks, I got the response via openssl.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.