OCSP on ocsp.staging-x1.letsencrypt.org broken?

TCM · February 25, 2016, 11:19am

Hi,

I’m trying to do OCSP stapling on the staging API.

Client does:

POST / HTTP/1.0
Host: ocsp.staging-x1.letsencrypt.org
Content-Type: application/ocsp-request
Content-Length: 86

Server replies:

HTTP/1.0 200 OK
Server: nginx
Content-Type: text/html
Content-Length: 2183
Last-Modified: Thu, 10 Sep 2015 21:07:14 GMT
ETag: "55f1f102-887"
Accept-Ranges: bytes
Cache-Control: max-age=42219
Expires: Thu, 25 Feb 2016 22:55:54 GMT
Date: Thu, 25 Feb 2016 11:12:15 GMT
Connection: close

<!DOCTYPE html>

<html lang="en">
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content=
  "width=device-width, initial-scale=1">

  <title>Boulder: The Let's Encrypt CA</title>
  <link href=
  "//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css"
  rel="stylesheet" type="text/css">
  <link href=
  "//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css"
  rel="stylesheet" type="text/css">
</head>
[...]

Then of course, OpenSSL:

Error querying OCSP responder

Am I doing something horribly wrong here? Is this supposed to work at all?

Osiris · February 25, 2016, 11:29am

Nope, it’s busted here too…

For the record, the -header option wasn’t forgotten:

openssl ocsp -issuer 0004_chain.pem -cert 0004_cert.pem -text -url http://ocsp.staging-x1.letsencrypt.org/ -header "Host" "ocsp.staging-x1.letsencrypt.org"

TCM · February 25, 2016, 12:35pm

Yeah, you can tell from the Host: header in the client POST.

jsha · March 12, 2016, 3:43am

Sorry for the delay, just saw this. Yes, it looks like OCSP via POST to the staging server is broken. I’ll get it fixed. OCSP via GET on the staging server still works.