ISRG root test pages do not use OCSP stapling

Osiris · December 22, 2016, 12:30pm

The Let’s Encrypt certificate page show a few “test pages” for a few possible scenarios with regard of the end leaf certificate.

Among those, there’s a test page for a revoked leaf certificate: https://revoked-isrgrootx1.letsencrypt.org/

Unfortunately, this page works perfectly in Chrome. This because Chrome doesn’t query for OCSP responses by default, because this is cause for privacy infractions, among others.

And… The Let’s Encrypt server doesn’t use OCSP Stapling… :

osiris@desktop ~ $ openssl s_client -connect revoked-isrgrootx1.letsencrypt.org:443 -servername revoked-isrgrootx1.letsencrypt.org -status
CONNECTED(00000003)
OCSP response: no response sent
...

So… My question to the Let’s Encrypt technical staff:

Is OCSP Stapling disabled with a reason?
If so, what’s that reason?

By the way: someone renewed the “”“expired”"" certificate :

osiris@desktop ~ $ echo -n "" | openssl s_client -connect expired-isrgrootx1.letsencrypt.org:443 -servername expired-isrgrootx1.letsencrypt.org 2>/dev/null | openssl x509 -noout -text | grep -E "Not After|DNS"
            Not After : Feb 15 01:13:00 2017 GMT
                DNS:expired-isrgrootx1.letsencrypt.org
osiris@desktop ~ $

cpu · December 22, 2016, 3:10pm

I'm not aware of any specific reason. I put in a ticket with our operations team to see about enabling it but its a low priority item behind lots of immediately pressing ones . Thanks for the suggestion.

Oops! I opened a ticket for this as well. Thanks for catching that.

Osiris · December 22, 2016, 3:25pm

Understandable Perhaps a temporary warning on the page itself about OCSP Stapling would make sense?

cpu · December 22, 2016, 3:29pm

That's a useful suggestion too - thank you! I'll see whether that can be done with more expedience.

cpu · December 22, 2016, 4:31pm

We both missed some text on the expired page :

NOTE: We know that this certificate has not yet expired. On 14 Feb 2017 the certificate will be expired and this site will properly demonstrate an expired certificate.

We're deliberately waiting that one out - the policies we're audited under won't allow us to sign a deliberately expired certificate.

Osiris · December 22, 2016, 4:39pm

Whoops.. Missed that indeed

cpu · December 22, 2016, 6:24pm

I submitted a PR to add the note you suggested. Thanks!

system · January 21, 2017, 6:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.