OCSP issue with cert issued from E5

Help
1

My domain is: sugarmail.app

I ran this command:

certbot --cert-name sugarmail --key-type ecdsa renew

It produced this output:

Generated the certificate for sugarmail.app

My web server is (include version): HAProxy, Go, nginx

The operating system my web server runs on is (include version): Debian 12.5

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): I ran certbot on my local machine, Ubuntu 24.04 (and yes I can log into my production servers), the certificate is not deployed yet.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Now the question

I am unable to verify OCSP for the new certificate using this command:

openssl ocsp -issuer ./ssl/sugarmail/issuer.pem -cert ocsp.pem -url http://e5.o.lencr.org -no_nonce -text

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 1E11C0C9ACFDA453EF4B2F6A732115604D54ADB9
          Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
          Serial Number: 04C33CCF6AE2540DC1ED3B782227001282F0
Responder Error: unauthorized (6)

The OCSP URL is extracted from the certificate.

I notice that today's certificate was issued from E5 and all my previous certificates were issued from R3. Previously OCSP validation using same exact command worked (produced OK).

I'm wondering if there is an issue with the new E5 OCSP validation service.

What's strange is that when I use the "Check OCSP" button on the crt.sh site, it validates OK - so I'm only having the issue when trying to validate using the openssl command I've given above.

2

This is same exact command from the web server where the previous version of the certificate - issued from R3 - is currently deployed:

openssl ocsp -issuer issuer.pem -cert complete.pem -url http://r3.o.lencr.org -no_nonce -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
          Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
          Serial Number: 03E17280F5EA642B436036BF06E5841B8A7E
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = R3
    Produced At: Jun 28 00:51:00 2024 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
      Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
      Serial Number: 03E17280F5EA642B436036BF06E5841B8A7E
    Cert Status: good
3

Is issuer.pem the E5 cert?

2 Likes
4

What's the contents of this ocsp.pem? It's not generated by Certbot.

5

Ah good catch!

I was downloading the issuer from http://r3.i.lencr.org/

Changed to http://e5.i.lencr.org/ and validation is working, thank you so much!

3 Likes
6

Oh it was just a copy of complete.pem, but that was not the issue

7

I also don't know any complete.pem, but hey, if you found the fix elsewhere :person_shrugging:t2:

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.