There is a specific host of
r3.o.lencr.org that is blocked in mainland China, when the DNS resolution to 126.96.36.199 (Akamai HK).
Can you check it out?
Maybe something similar to
Ocsp.int-x3.letsencrypt.org is not working in China - #32 by ezekiel
meanwhile you wait for staff to fix that, try stapling OCSP response (you don't say what's your webserver is so I can't say how to do that)
That probably won't work either if the webserver is in China.
I assume vpn is standard practice for devs in chain: github is blocked there
For dev machines, I think. But for production servers?
thanks for the advice, but I already staple. It is my IoT client that insists having an available OCSP responder
Perhaps you could use a hosts file on the IoT client to redirect
r3.o.lencr.org/ to a caching OCSP proxy you control?
a caching ocsp proxy. It accepts ocsp requests from any client, e.g. an ssl-webserver, and forwards the request to the corresponding ocsp responders or returns the ocsp response from cache. Can be ...
I didn't put a hosts editing functionality in my IoT.
btw, even though my stack is taking the responder availability quite hard, that doesn't mean that web browsers are not affected. The responder is expected to work even with stapling
Updating here that I opened a ticket with Akamai.
r3.o.lencr.org is served by Akamai's CDN (property o.lencr.edgesuite.net) both in China and the RoW.
I'm running tests to see what is the exact resolution path of r3.o.lencr.org to 188.8.131.52
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.