OCSP Responder ‘unauthorized’ error

Hello! We run certbot on a number of domains we host and perform OCSP stapling automatically to reduce the load on the Let's Encrypt responders.

Today we noticed the responder is giving us ‘unauthorized (6)’ errors on 10 of them. All of them were renewed recently and use the latest Let's Encrypt CA certificate (C=US, O=Let's Encrypt, CN=R3, serial number 40:01:75:04:83:14:a4:c8:21:8c:84:a9:0c:16:cd:df).

We manage hundreds of certificates signed with the previous certificate (C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3, serial number 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08). The responder seems fine with all of them I've manually checked.

We're using certbot, and the command I'm using to check is: (for www.beamenergy.co.uk, one of the problem domain):

$ cd /etc/letsencrypt/live/www.beamenergy.co.uk/
$ openssl ocsp -issuer chain.pem -cert cert.pem -VAfile chain.pem \
-respout "/tmp/cert.ocsp.new" -no_nonce -header Host=ocsp.int-x3.letsencrypt.org \
-url http://ocsp.int-x3.letsencrypt.org -noverify
Responder Error: unauthorized (6)

This is on Debian 9 and Ubuntu 20.04 with OpenSSL 1.1.1d and 1.1.1g.

Are there any known issues with the responder? Has the URL of the responder changed recently?

Thanks!

The OCSP URL is found in your certificate, you shouldn't be assuming that it's http://ocsp.int-x3.letsencrypt.org.

When Let's Encrypt changed its issuer to R3 yesterday, this also resulted in the OCSP URL being changed.

If you query the wrong OCSP URL, you'll get an Unauthorized response.

Have a look in the "Authority Information Access" section of your certificate for the updated AIA OCSP URL.

Servers which can do OCSP stapling (like nginx) are generally capable of automatically discovering the OCSP URL.

Many thanks, that was the culprit. I updated the stapling scripts to use the URI from the certificate and everything is working fine now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.