I found that OSCP checking is done at server
Does it have a fixed IP?
We have a client, who needs all firewall rules as IP's.
That OCSP responder URL is for our previous intermediate X3. All the certificates issued by that intermediate have expired and it it’s less likely to be useful. The OCSP responder you want to use is embedded in the end entity certificate issued for the domain. Today, it should be http://r3.o.lencr.org/. You can read about the name here
The Let’s Encrypt OCSP responders have a global CDN handling the traffic and caching responses for up to 12 hours. There is no specific IP you can firewall whitelist.
I’m afraid not: the IPs for our services aren’t guaranteed to stay the same, especially for OCSP, which we serve through a high-volume CDN.
If your client needs to use this kind of filtering, I’d recommend using a system with Deep Packet Inspection (DPI) features to check that outgoing connections are made only to authorized hosts.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.