OCSP server IP list?

portimo · March 18, 2021, 3:05pm

Hi,
I found that OSCP checking is done at server
http://ocsp.int-x3.letsencrypt.org
Does it have a fixed IP?
We have a client, who needs all firewall rules as IP's.
Thanks

jillian · March 18, 2021, 3:31pm

That OCSP responder URL is for our previous intermediate X3. All the certificates issued by that intermediate have expired and it it’s less likely to be useful. The OCSP responder you want to use is embedded in the end entity certificate issued for the domain. Today, it should be http://r3.o.lencr.org/. You can read about the name here

The Let’s Encrypt OCSP responders have a global CDN handling the traffic and caching responses for up to 12 hours. There is no specific IP you can firewall whitelist.

JamesLE · March 18, 2021, 3:33pm

I’m afraid not: the IPs for our services aren’t guaranteed to stay the same, especially for OCSP, which we serve through a high-volume CDN.

If your client needs to use this kind of filtering, I’d recommend using a system with Deep Packet Inspection (DPI) features to check that outgoing connections are made only to authorized hosts.

system · April 17, 2021, 3:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Where can I find OCSP responder certificate? Feature Requests	1	3807	November 7, 2015
Downtime on ocsp.int-x[1-4].letsencrypt.org Help	3	1106	February 9, 2018
OCSP responder hangs? Client dev	13	2950	April 6, 2020
OCSP responder Problems? (letsencrypt.org DNS Problem) Help	14	8913	September 2, 2018
Not able to reolve OCSP URL Help	2	546	April 14, 2019

OCSP server IP list?

Related topics