There is a specific host of r3.o.lencr.org that is blocked in mainland China, when the DNS resolution to 184.50.87.27 (Akamai HK).
Can you check it out?
Maybe something similar to Ocsp.int-x3.letsencrypt.org is not working in China - #32 by ezekiel
meanwhile you wait for staff to fix that, try stapling OCSP response (you don't say what's your webserver is so I can't say how to do that)
2 Likes
That probably won't work either if the webserver is in China.
1 Like
I assume vpn is standard practice for devs in chain: github is blocked there
2 Likes
For dev machines, I think. But for production servers?
2 Likes
thanks for the advice, but I already staple. It is my IoT client that insists having an available OCSP responder
1 Like
Perhaps you could use a hosts file on the IoT client to redirect r3.o.lencr.org/ to a caching OCSP proxy you control?
2 Likes
I didn't put a hosts editing functionality in my IoT.
btw, even though my stack is taking the responder availability quite hard, that doesn't mean that web browsers are not affected. The responder is expected to work even with stapling
Updating here that I opened a ticket with Akamai.
r3.o.lencr.org is served by Akamai's CDN (property o.lencr.edgesuite.net) both in China and the RoW.
I'm running tests to see what is the exact resolution path of r3.o.lencr.org to 184.50.87.27
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.