OCSP-Stappling - Block Browser with bad CDN Distribution


Hi, i found that somethins some of the CDN Server from LetsEncrypt give an invalid Answer cause the server been blocked in browser that honor the must staple. The solution i found is fetch the ip for the server from multiple open dns servers. That cause an much broader list of CDN’s with an higher chance tho get an valid response.
Here the distribution between the cdn hosts should be optimized.



Is it possible that you are referring to Aug 23rd 's incident?

Thank you

P.S. let’s encrypt use akamai (if I’m correct) for CDN…


Hi, yes it sound that it is related to this incident. But it does not change the point of the solution.
Any CDN that deliver different DNS responses to different GEO IP’s cause the problem that you always only see an part of the possible servers. Even worse when i tried to debug the issue i always received an correct response on my laptop while the server always got an error. Since both use DNS load balancing i first did not have in mind that they would use different set of IP’s.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.