OCSP responder returning 503 errors

Since 13:00 UTC we’ve been seeing issues trying to fetch OCSP responses against ocsp.int-x3.letsencrypt.org. We are getting intermittent 503s responses from Akamai (HTTP Server header says AkamaiGHost) but apparently everything is ok according to https://letsencrypt.status.io/. There is any ongoing issue with the OCSP responders or the CDN in front of them?

Thanks,
Valentín Gutiérrez

We’re seeing the same.

Yes, same here too…

Same. Getting repeated 400 and 503 “Error querying OCSP responder” errors on several servers with no changes on our end.

Thanks for providing this information. Our team is looking into it. Are there any other details being returned?

Thanks @jillian, it looks to be fixed since a few minutes ago, from 19:43:27 UTC seems to be up & running again

We are still getting this error with many peers behind the ocsp.int-x3.letsencrypt.org like:
23.221.227.164
23.221.227.166
23.221.227.171
23.221.227.172
23.221.227.173
23.221.72.10
23.221.72.11
23.221.72.17
23.221.72.18
23.221.72.19
23.221.72.24
23.221.72.25
23.221.72.26
23.221.72.27

It seems to have been fixed a few times today, but its back as of 19:15 UTC.

Errors look like this, all refer to oscp.int-x3.letsencrypt.org:

ssl_certificate.lua:260: set_response_cert(): auto-ssl: failed to set ocsp stapling for XXX - continuing anyway - failed to get ocsp response: OCSP responder returns bad HTTP status code (http://ocsp.int-x3.letsencrypt.org): 503, context: ssl_certificate_by_lua*

Our error looks like “OCSP responder sent invalid “Content-Type” header: “text/html” while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org”

And the
curl -v http://ocsp.int-x3.letsencrypt.org/

from time to time gives us:

Hostname was NOT found in DNS cache
Trying 23.221.72.9…
Connected to ocsp.int-x3.letsencrypt.org (23.221.72.9) port 80 (#0)

GET / HTTP/1.1
User-Agent: curl/7.38.0
Host: ocsp.int-x3.letsencrypt.org
Accept: /

HTTP/1.1 503 Service Unavailable
Server AkamaiGHost is not blacklisted
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 176
Cache-Control: max-age=0
Expires: Fri, 15 May 2020 20:01:53 GMT
Date: Fri, 15 May 2020 20:01:53 GMT
Connection: keep-alive

<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference&#32;&#35;102&#46;ec610317&#46;1589572913&#46;236d6a4
</BODY></HTML>

Connection #0 to host ocsp.int-x3.letsencrypt.org left intact

Thanks for that information @mbanker and @server2. We’ve made a change that should immediately alleviate the errors you’re seeing and will be posting a status.io while we continue to monitor the solution.

i can confirm the errors have stopped as of 20:19 UTC. thanks @jillian

Not sure that this is related but for a couple of days from time to time there are errors (for the same set of peers) in log like

OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.172:80
(104: Connection reset by peer) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.166:80
(111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.217.129.90:80

The same errors were before the issue mentioned in the current topic and ended with a serious problem.

@jillian again, probably not directly related but you should be aware that issue is progressing and there are more and more failures each day

2020/05/22 13:42:12 [error] 6354#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.171:80
2020/05/22 13:42:12 [error] 6354#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.171:80
2020/05/22 15:58:12 [error] 6346#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.170:80
2020/05/22 15:58:12 [error] 6346#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.170:80
2020/05/22 15:58:15 [error] 6364#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.170:80
2020/05/22 15:58:15 [error] 6364#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.170:80
2020/05/22 15:59:14 [error] 6351#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.166:80
2020/05/22 15:59:14 [error] 6351#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.166:80
2020/05/22 16:29:14 [error] 6350#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.171:80
2020/05/22 16:29:14 [error] 6350#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.171:80
2020/05/22 16:29:18 [error] 6347#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.171:80
2020/05/22 16:29:18 [error] 6347#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.171:80
2020/05/22 16:29:19 [error] 6350#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.171:80
2020/05/22 16:29:19 [error] 6350#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.171:80
2020/05/22 16:50:02 [error] 6362#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.173:80
2020/05/22 16:50:02 [error] 6362#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.173:80
2020/05/22 16:50:04 [error] 6369#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.173:80
2020/05/22 16:50:04 [error] 6369#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.173:80
2020/05/22 16:50:08 [error] 6365#0: recv() failed (111: Connection refused) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.173:80
2020/05/22 16:50:08 [error] 6365#0: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.221.227.173:80