ISRG Root OCSP X1 expired

See the current partial service disruption:

Our delegated OCSP signing certificate ‘OCSP Root-X1’ has expired, causing OCSP validation errors for TLS clients building chains to ISRG Root X1.

(No direct link for source except https://letsencrypt.status.io/ at the moment.)

I’m quite interested to read the post mortem analysis. How could this have happened?

Also, and more the reason for this thread — anyone got statistics on how many users could be affected by this? It only affects sites/services which are chaining to the ISRG root, so only custom configured sites/services are affected. And also only users/clients which are actually requesting OCSP queries for the intermediate certificated are obviously affected?

Anyone would like to take hit at a ballpark guess?

9 Likes

The incident has been remediated and the status page has been updated accordingly.

We will hold an internal post-mortem and provide an incident report soon.

6 Likes

How is that possible? The IdenTrust cross-signed intermediate doesn’t contain an OCSP URI in its Authority Information Access section? :thinking:

FWIW, it might make sense to start publishing the expiry dates of everything on the /certificates page in plaintext. That would leverage the community members as an extra warning to notice any forthcoming expiries

1 Like

Publishing expiry dates, or even better: have some kind of monitoring to warn before certificates expire :slight_smile: I know, hindsight 20/20, but…I’m somewhat confused that this happened here: that’s the only other thing a CA has to take care of, right? Issuing certificates and making sure its own certificates do not expire? Anyway, thanks for the update and the incident report!

As @jillian stated in the post mortem there is a monitoring system in place. It just didn’t covet the OCSP cert.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.