OCSP requests returning "unauthorised"

Hello,
I recently purchased a certificate from Let’s Encrypt successfully. Upon trying to fetch OCSP response (which is done automatically, immediately after certificate purchase), i’m getting error “unauthorised”. However, when i perform the same operation after a while, say an hour, the OCSP response is obtained successfully.

I would like to know if I should expect a delay between certificate issuance and availability of OCSP information of that certificate.

Thanks in advance.

There’s a small delay between the time Let’s Encrypt signs the certificate and the first OCSP response, usually < 1s. Adding a 1-2s delay for the first attempt and having some retry logic in place should avoid this issue.

1 Like

we see the same with a certificate issued today. Looks like the OCSP servers don’t get all the information that they should currently …

I guess that happens because OCSP responses are handled and cached by CDN (Akamai). Maybe if your request hits CDN before pre-created OCSP response is available, unauthorized result gets cached for some time?

I see that there is open issue in Boulder about setting Akamai caching headers for OCSP: https://github.com/letsencrypt/boulder/issues/2794. Maybe @jsha could shed some light on this, as he has spoken about OCSP in Let’s Encrypt few times (OCSP with LetsEncrypt Used to Work But Now Doesn’t, [Solved] OCSP server sometimes has malformed response of 5 bytes or “unauthorized”)?

Just for my understanding: why do you even do this?

One of the possible reasons you might be interested in obtaining OCSP response immediately, is using OCSP stapling mechnism - you obtain OCSP response in advance and include it in TLS session negotiation. This improves privacy of users, as they do not query OCSP server about your certificate directly - which makes CA unable to track who (distinct IP addresses and browsers) is visiting websites protected by their certificates.

There used to be a small delay, but we changed the code so the certificate should not be returned until OCSP is available. Would you file a bug on boulder with as much detail as you can? Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.