ISRG Root OCSP X1 expired

See the current partial service disruption:

Our delegated OCSP signing certificate ‘OCSP Root-X1’ has expired, causing OCSP validation errors for TLS clients building chains to ISRG Root X1.

(No direct link for source except at the moment.)

I’m quite interested to read the post mortem analysis. How could this have happened?

Also, and more the reason for this thread — anyone got statistics on how many users could be affected by this? It only affects sites/services which are chaining to the ISRG root, so only custom configured sites/services are affected. And also only users/clients which are actually requesting OCSP queries for the intermediate certificated are obviously affected?

Anyone would like to take hit at a ballpark guess?


The incident has been remediated and the status page has been updated accordingly.

We will hold an internal post-mortem and provide an incident report soon.


How is that possible? The IdenTrust cross-signed intermediate doesn’t contain an OCSP URI in its Authority Information Access section? :thinking:

FWIW, it might make sense to start publishing the expiry dates of everything on the /certificates page in plaintext. That would leverage the community members as an extra warning to notice any forthcoming expiries

1 Like

Publishing expiry dates, or even better: have some kind of monitoring to warn before certificates expire :slight_smile: I know, hindsight 20/20, but…I’m somewhat confused that this happened here: that’s the only other thing a CA has to take care of, right? Issuing certificates and making sure its own certificates do not expire? Anyway, thanks for the update and the incident report!

As @jillian stated in the post mortem there is a monitoring system in place. It just didn’t covet the OCSP cert.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.