There has been several complaints today that the latest Chrome can’t connect some sites using Let’s Encrypt certificates. I narrowed it down to the OCSP – all sites in question get an expired response from OCSP serve (for example kvlt.ee):
$ openssl ocsp -header "HOST" ocsp.int-x3.letsencrypt.org -issuer kvlt.chain.ee -cert kvlt.ee.pem -text -url http://ocsp.int-x3.letsencrypt.org/ ... Response Verify Failure 139881862981264:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92: kvlt.ee.pem: WARNING: Status times invalid. 139881862981264:error:2707307D:OCSP routines:OCSP_check_validity:status expired:ocsp_cl.c:370: good This Update: Dec 5 04:00:00 2016 GMT Next Update: Dec 12 04:00:00 2016 GMT
- For any other browsers (Firefox, Safari) it’s not fatal.
- Switching off OCSP stapling fixes the problem for Chrome as well.
Clearly there is a problem with Let’s Encrypt OCSP responses, but why is it fatal for Chrome only? Is it the problem in Chrome? Or in Apache? Or in other browsers?
Environment: Chrome 55.0.2883.87, Apache 2.4.23, OpenSSL 1.0.2j.