Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
openssl ocsp -no_nonce -resp_text -url 'http://lencr.org' -header Host='lencr.org' -respout kalasa.org.ocsp -issuer isrg-root-ocsp-x1.pem -cert kalasaorg.pem
It produced this output:
Error querying OCSP responder
4580908544:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=308,Reason=Permanent Redirect
My web server is (include version):
apache behind nginx neilpang/letsproxy
The operating system my web server runs on is (include version):
neilpang/letsproxy, docker on ubuntu EC2
My hosting provider, if applicable, is:
aws, Route53 for dns
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I use acme.sh
Letencrypt Certificate is working and I can access the website on chrome. Firefox display error for OCSP. I'm trying to create an ssl_tampling_file but still getting error.
What is the rign command for creating ssl_tampling_file? What is the righ url I used http://lencr.org but get error "Code=308,Reason=Permanent Redirect".
Thanks so much.
You shouldn't hardcode the URL as it may change, but in general it'll be of the form http://INTERMEDIATE.o.lencr.org, for example it may be http://r5.o.lencr.org
You're probably refering to ssl_stapling_file, an nginx configuration option. Assuming you're using this, nginx is indeed your webserver.
However, manually obtaining OCSP responses and serving them with nginx is a highly advanced configuration, which I would not recommend. nginx is perfectly capable of self-obtaining stapled OCSP responses.
You should re-check your configuration. From the outside, we currently see a self signed certificate, not a Let's Encrypt certificate. Which error message do you get on Firefox exactly?
IIRC nginx does OCSP stapling as cache not mandated, first person visit when stapled reponse is expired will not get stapled response) if not they fixed that in last few years
It is known, that nginx's OCSP handling is less than ideal (which is one of the reasons I migrated my stuff to Caddy). There's this issue filed by Jacob 8 years ago, but there's no much movement since then.