Hello! We run certbot on a number of domains we host and perform OCSP stapling automatically to reduce the load on the Let's Encrypt responders.
Today we noticed the responder is giving us ‘unauthorized (6)’ errors on 10 of them. All of them were renewed recently and use the latest Let's Encrypt CA certificate (C=US, O=Let's Encrypt, CN=R3, serial number 40:01:75:04:83:14:a4:c8:21:8c:84:a9:0c:16:cd:df).
We manage hundreds of certificates signed with the previous certificate (C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3, serial number 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08). The responder seems fine with all of them I've manually checked.
We're using certbot, and the command I'm using to check is: (for www.beamenergy.co.uk, one of the problem domain):
$ cd /etc/letsencrypt/live/www.beamenergy.co.uk/ $ openssl ocsp -issuer chain.pem -cert cert.pem -VAfile chain.pem \ -respout "/tmp/cert.ocsp.new" -no_nonce -header Host=ocsp.int-x3.letsencrypt.org \ -url http://ocsp.int-x3.letsencrypt.org -noverify Responder Error: unauthorized (6)
This is on Debian 9 and Ubuntu 20.04 with OpenSSL 1.1.1d and 1.1.1g.
Are there any known issues with the responder? Has the URL of the responder changed recently?