OCSP requests via openssl not working

vsund · July 10, 2017, 1:23am

I’m currently fighting with nginx’ lazy OCSP stapling and try to get OCSP responses manually with openssl 1.0.2k.

I try to fetch the OCSP response with

openssl ocsp -no_nonce -url "http://ocsp.int-x3.letsencrypt.org" \
  -header "Host" "http://ocsp.int-x3.letsencrypt.org" \
  -respout /some/path/ntzwrk.org.ocsp \
  -issuer /etc/letsencrypt/live/ntzwrk.org/chain.pem \
  -VAfile /etc/letsencrypt/live/ntzwrk.org/chain.pem \
  -cert /etc/letsencrypt/live/ntzwrk.org/cert.pem

which results in

Error querying OCSP responder
140536047384208:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request

I worked through different forum threads but none of the problem seems to be mine. Does anybody has an idea what could cause this “Bad request” error? I saw that there were lately some issues with OCSP responses, is this maybe related to these?

pfg · July 10, 2017, 1:33am

The host header should be set to “ocsp.int-x3.letsencrypt.org” rather than “http://ocsp.int-x3.letsencrypt.org”. Not sure if that’s the issue here, but it seems likely.

vsund · July 10, 2017, 1:37am

Oh, that’s totally right, and solved the problem. Might be just too late

Sorry and thanks for the quick help

system · August 9, 2017, 1:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is OCSP responder broken? Issuance Tech	3	7307	April 1, 2018
OCSP responder returning 503 errors Help	13	3388	July 2, 2020
NGINX OCSP not responding Server	4	3549	January 9, 2016
OCSP failed (111: Connection refused) while requesting certificate status Help	4	2255	November 2, 2019
OCSP Responder test error: bad hostname lookup Server	9	7320	May 28, 2017

OCSP requests via openssl not working

Related topics