when upgrade to 2.11, my ocsp auto update script was wrong,
It can't get the ocsp response data
script like:
/usr/bin/openssl ocsp -no_nonce -text -issuer chain.pem -cert cert.pem -url http://r3.o.lencr.org/
return:
Responder Error: unauthorized (6)
but some old cert (issue by certbot version 2.10), same script will get ocsp response ok.
@psh2000 I've moved your post into its own thread, as this (almost certainly) has nothing to do with Certbot, as Certbot simply gets certs from the CA and cannot modify the contents in any way.
Are you sure the failing cert was issued by R3? Two days ago, Let's Encrypt changed the intermediates used for signing the certs. See Deploying Let's Encrypt's New Issuance Chains for more info.
I'm very sorry. I just learned that every time a certificate is issued or renewed, the corresponding OCSP response server may change.
The correct way should be through the command:
/usr/bin/openssl x509 -in cert.pem -ocsp_uri -noout
it will get the cert ocsp server url. example: http://e6.o.lencr.org
the old cert maybe http://r3.o.lencr.org
and then use openssl ocsp command get the ocsp response file
/usr/bin/openssl ocsp -no_nonce -respout ocsp.resp -issuer chain.pem -cert cert.pem -url [OCSP_Response_Server]
so, it's my problem. thanks~~
You can probably also combine both options:
/usr/bin/openssl ocsp -no_nonce -respout ocsp.resp -issuer chain.pem -cert cert.pem -url $(/usr/bin/openssl x509 -in cert.pem -ocsp_uri -noout)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.