Is there a rate limit on OCSP requests?

TCM · December 25, 2015, 5:41pm

Hi,

playing around with OCSP stapling in HAProxy, I have issued quite a few OCSP requests in a short time. Now I get

$ openssl ocsp -sha512 -noverify -issuer chain.pem -cert cert.pem -url http://ocsp.int-x1.letsencrypt.org/ -header Host ocsp.int-x1.letsencrypt.org
Responder Error: unauthorized (6)

Have I run into a rate limit or is there something else?

Edit: Also, what is the recommended interval for OCSP stapling? I was planning to run the script for all domains once per day.

Thx

kerio · December 25, 2015, 6:10pm

I’m currently updating my OCSP responses every two hours, just because. The OCSP responses are handled by a CDN, so rate limits shouldn’t apply.

TCM · December 25, 2015, 7:29pm

All I get is

Responder Error: unauthorized (6)

It would be nice to know what exactly causes this, as to not run into any problems later when this stuff is supposed to run in fire-and-forget mode.

Is this for one domain? Maybe very bursty requests are blocked off, in which case even updating once a week, but for a lot of domains, would also run into a limit. This is something I want to avoid.

Edit: Curiously, the server 194.25.94.194 itself returns 200:

HTTP/1.0 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 5
Cache-Control: max-age=43167
Expires: Sat, 26 Dec 2015 07:26:52 GMT
Date: Fri, 25 Dec 2015 19:27:25 GMT
Connection: close

So the unauthorized message must come from a higher layer.

jsha · December 25, 2015, 9:50pm

You’re probably getting this error because you are using sha512 to build the issuerKeyHash, which is not currently supported. Drop the -sha512 flag and you should be fine.

Once per day is an appropriate interval to update stapled OCSP responses. Fresh responses are available approximately every three days. More frequently is also fine, but not necessary.

TCM · December 25, 2015, 10:06pm

Indeed, removing the -sha512 flag fixed this. Thanks.

However, if I move the -sha512 flag to the end of the line, it also works. Like so

$ openssl ocsp -noverify -issuer chain.pem -cert cert.pem -url http://ocsp.int-x1.letsencrypt.org/ -header Host ocsp.int-x1.letsencrypt.org -sha512

I will investigate a bit more. My guess it that the flag isn’t even honored at the end of the line.

Edit: Technically, if the OCSP response says this:

This Update: Dec 25 20:00:00 2015 GMT
Next Update: Jan  1 20:00:00 2016 GMT

would it be OK to say that any further OCSP requests before 2016-01-01 20:00 are essentially useless? So I can stretch the update interval beyond one day, up to a week? I just want to find the best balance.

jsha · December 26, 2015, 6:36pm

Yep, you could wait until an hour or two before the Next Update timestamp before updating. I’d recommend updating at approximately (Next Update - This Update) / 2. That way you have a generous recovery window in case there’s any sort of outage when you go to fetch the latest OCSP. You might also be interested in Ryan Sleevi’s post about what would be useful from an OCSP stapling daemon: https://gist.github.com/sleevi/5efe9ef98961ecfb4da8.