Hello,
I recently purchased a certificate from Let’s Encrypt successfully. Upon trying to fetch OCSP response (which is done automatically, immediately after certificate purchase), i’m getting error “unauthorised”. However, when i perform the same operation after a while, say an hour, the OCSP response is obtained successfully.
I would like to know if I should expect a delay between certificate issuance and availability of OCSP information of that certificate.
There’s a small delay between the time Let’s Encrypt signs the certificate and the first OCSP response, usually < 1s. Adding a 1-2s delay for the first attempt and having some retry logic in place should avoid this issue.
I guess that happens because OCSP responses are handled and cached by CDN (Akamai). Maybe if your request hits CDN before pre-created OCSP response is available, unauthorized result gets cached for some time?
One of the possible reasons you might be interested in obtaining OCSP response immediately, is using OCSP stapling mechnism - you obtain OCSP response in advance and include it in TLS session negotiation. This improves privacy of users, as they do not query OCSP server about your certificate directly - which makes CA unable to track who (distinct IP addresses and browsers) is visiting websites protected by their certificates.
There used to be a small delay, but we changed the code so the certificate should not be returned until OCSP is available. Would you file a bug on boulder with as much detail as you can? Thanks!