OCSP ERROR: Exception: connect timed out [http://ocsp.int-x3.letsencrypt.org/]


#1

Hi,

We have our certificate up and running/working but have some users stating that they cannot get onto the site. We tried an SSLLabs test and it comes up a+ except for:

in section ‘Server Key and Certificate #1

Revocation status
Validation error
OCSP ERROR: Exception: connect timed out [http://ocsp.int-x3.letsencrypt.org/]
OCSP ERROR: Exception: connect timed out [http://ocsp.int-x3.letsencrypt.org/]

And in section ‘Certification Paths’

RSA 4096 bits (e 65537) / SHA256withRSA
OCSP ERROR: Exception: connect timed out [http://ocsp.int-x3.letsencrypt.org/]
OCSP ERROR: Exception: connect timed out [http://ocsp.int-x3.letsencrypt.org/]

Does anyone have any advice as to what this might be and how we might resolve? We are at a loss.

Any help greatly appreciated. Really don’t understand what we should change.


#2

The OCSP server is what (some) browsers contact to check if a certificate was revoked or not. Based on those results, it looks like the OCSP service suffered a short outage. They’re currently online and I didn’t find any mentions of an outage on the status page, so this was most likely just a temporary glitch. Either way, I’d be curious if the error goes away if you retry the test (“Clear cache” at the top of the results page).

A failing OCSP server would not typically cause visitors not to be able to get to the site, as OCSP is “soft-fail”, meaning if the OCSP server is down, browsers will just assume the certificate has not been revoked. This could cause the browser to hang a bit (a few seconds), but after that, visiting the site should be possible. There’s one small exception to this, namely if you’re using the OCSP Must-Staple extension in your certificate and the users that have problems are all using Firefox. If you’ve never heard of OCSP Must-Staple, you’re not using it, as it’s not enabled by default.

You probably need more details to figure out why the site is failing for some users - the specific error messages, their browsers and versions, whether they’re using some corporate proxy (these sometimes have severely outdated TLS clients that fail to connect to servers with modern cipher suites), etc.


#3

You are an absolute superstar, I am so very grateful. So that is gone and all OK. :slight_smile:

Now that has allowed me to identify that we have a redirection issue from https://www to https://(no www) but we can resolve that so I think we are good!

Thanks again for the detailed response, fantastic. Made my day.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.