Is there a rate limit on OCSP requests?



playing around with OCSP stapling in HAProxy, I have issued quite a few OCSP requests in a short time. Now I get

$ openssl ocsp -sha512 -noverify -issuer chain.pem -cert cert.pem -url -header Host
Responder Error: unauthorized (6)

Have I run into a rate limit or is there something else?

Edit: Also, what is the recommended interval for OCSP stapling? I was planning to run the script for all domains once per day.



I’m currently updating my OCSP responses every two hours, just because. The OCSP responses are handled by a CDN, so rate limits shouldn’t apply.


All I get is

Responder Error: unauthorized (6)

It would be nice to know what exactly causes this, as to not run into any problems later when this stuff is supposed to run in fire-and-forget mode.

Is this for one domain? Maybe very bursty requests are blocked off, in which case even updating once a week, but for a lot of domains, would also run into a limit. This is something I want to avoid.

Edit: Curiously, the server itself returns 200:

HTTP/1.0 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 5
Cache-Control: max-age=43167
Expires: Sat, 26 Dec 2015 07:26:52 GMT
Date: Fri, 25 Dec 2015 19:27:25 GMT
Connection: close

So the unauthorized message must come from a higher layer.


You’re probably getting this error because you are using sha512 to build the issuerKeyHash, which is not currently supported. Drop the -sha512 flag and you should be fine.

Once per day is an appropriate interval to update stapled OCSP responses. Fresh responses are available approximately every three days. More frequently is also fine, but not necessary.


Indeed, removing the -sha512 flag fixed this. Thanks.

However, if I move the -sha512 flag to the end of the line, it also works. Like so

$ openssl ocsp -noverify -issuer chain.pem -cert cert.pem -url -header Host -sha512

I will investigate a bit more. My guess it that the flag isn’t even honored at the end of the line.

Edit: Technically, if the OCSP response says this:

This Update: Dec 25 20:00:00 2015 GMT
Next Update: Jan  1 20:00:00 2016 GMT

would it be OK to say that any further OCSP requests before 2016-01-01 20:00 are essentially useless? So I can stretch the update interval beyond one day, up to a week? I just want to find the best balance.


Yep, you could wait until an hour or two before the Next Update timestamp before updating. I’d recommend updating at approximately (Next Update - This Update) / 2. That way you have a generous recovery window in case there’s any sort of outage when you go to fetch the latest OCSP. You might also be interested in Ryan Sleevi’s post about what would be useful from an OCSP stapling daemon: