Ocsp moved permanently response

I am trying to generate a hitch-compatible .der ocsp file with:

openssl ocsp -url http://ocsp.int-x3.letsencrypt.org \
                      -header Host ocsp.int-x3.letsencrypt.org \
                      -no_nonce -resp_text \
                      -issuer /etc/letsencrypt/live/xxx.xxxxxxxxx.xxx/chain.pem \
                      -cert /etc/letsencrypt/live/xxx.xxxxxxxxx.xxx/cert.pem \
                      -respout /etc/hitch/ocsp/xxx.xxxxxxxxx.xxx-ocsp.der

The response:

Error querying OCSP responder
139902792488600:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=301,Reason=Moved Permanently

If I try on another server it works ok.
What am I doing wrong?

Also may be useful:

dig ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.11.0-P5 <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3542
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 10

; EDNS: version: 0, flags:; udp: 4096
;ocsp.int-x3.letsencrypt.org. IN A

ocsp.int-x3.letsencrypt.org. 281 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 20676 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 20 IN A
a771.dscq.akamai.net. 20 IN A

dscq.akamai.net. 3076 IN NS n2dscq.akamai.net.
dscq.akamai.net. 3076 IN NS a0dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n0dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n5dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n4dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n7dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n6dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n1dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n3dscq.akamai.net.

a0dscq.akamai.net. 5076 IN AAAA 2600:1480:e800::c0
n0dscq.akamai.net. 3611 IN A
n1dscq.akamai.net. 5215 IN A
n2dscq.akamai.net. 3076 IN A
n3dscq.akamai.net. 5076 IN A
n4dscq.akamai.net. 7076 IN A
n5dscq.akamai.net. 3076 IN A
n6dscq.akamai.net. 5076 IN A
n7dscq.akamai.net. 7076 IN A

;; Query time: 11 msec
;; WHEN: Tue Jun 20 14:24:15 EEST 2017
;; MSG SIZE rcvd: 519

Are you sure you’re really hitting the OCSP server? Not a malfunctioning proxy or a different IP in /etc/hosts or something?

Where does it redirect? What does “curl -v http://ocsp.int-x3.letsencrypt.org/” show?

Thanks for the hints. Turns out that a weird rule on my firewall was forcing outgoing traffic through the varnishd cache server in the network. I have fixed it by correcting that rule, so I can now use the ocsp server.

mnordhoff, thx for the hint.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.