Ocsp moved permanently response

Server
#1

I am trying to generate a hitch-compatible .der ocsp file with:

openssl ocsp -url http://ocsp.int-x3.letsencrypt.org \
                      -header Host ocsp.int-x3.letsencrypt.org \
                      -no_nonce -resp_text \
                      -issuer /etc/letsencrypt/live/xxx.xxxxxxxxx.xxx/chain.pem \
                      -cert /etc/letsencrypt/live/xxx.xxxxxxxxx.xxx/cert.pem \
                      -respout /etc/hitch/ocsp/xxx.xxxxxxxxx.xxx-ocsp.der

The response:

Error querying OCSP responder
139902792488600:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=301,Reason=Moved Permanently

If I try on another server it works ok.
What am I doing wrong?

Also may be useful:

dig ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.11.0-P5 <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3542
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org. IN A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 281 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 20676 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net. 20 IN A 213.140.213.171
a771.dscq.akamai.net. 20 IN A 213.140.213.169

;; AUTHORITY SECTION:
dscq.akamai.net. 3076 IN NS n2dscq.akamai.net.
dscq.akamai.net. 3076 IN NS a0dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n0dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n5dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n4dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n7dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n6dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n1dscq.akamai.net.
dscq.akamai.net. 3076 IN NS n3dscq.akamai.net.

;; ADDITIONAL SECTION:
a0dscq.akamai.net. 5076 IN AAAA 2600:1480:e800::c0
n0dscq.akamai.net. 3611 IN A 217.27.50.197
n1dscq.akamai.net. 5215 IN A 88.221.81.193
n2dscq.akamai.net. 3076 IN A 213.140.213.167
n3dscq.akamai.net. 5076 IN A 217.27.50.197
n4dscq.akamai.net. 7076 IN A 195.14.151.151
n5dscq.akamai.net. 3076 IN A 213.140.213.172
n6dscq.akamai.net. 5076 IN A 195.14.151.150
n7dscq.akamai.net. 7076 IN A 195.14.151.145

;; Query time: 11 msec
;; SERVER: 213.140.209.226#53(213.140.209.226)
;; WHEN: Tue Jun 20 14:24:15 EEST 2017
;; MSG SIZE rcvd: 519

#2

Are you sure you’re really hitting the OCSP server? Not a malfunctioning proxy or a different IP in /etc/hosts or something?

Where does it redirect? What does “curl -v http://ocsp.int-x3.letsencrypt.org/” show?

#3

Thanks for the hints. Turns out that a weird rule on my firewall was forcing outgoing traffic through the varnishd cache server in the network. I have fixed it by correcting that rule, so I can now use the ocsp server.

mnordhoff, thx for the hint.

#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.