Examples:
- https://community.letsencrypt.org/t/ocsp-server-returns-unauthorized-status/21965
- https://community.letsencrypt.org/t/ocsp-error-request-failed-with-ocsp-status-6-http-ocsp-int-x3-letsencrypt-org/24446
and anything else from searching for OCSP unauthorized.
Cron-job takes the existing cert, grabs --ocsp_uri from it, splits the chain into ourcert.pem and issuer.pem and invokes:
# the `-header` flag requires OpenSSL 1.0.2+
$openssl ocsp \
-header Host "${host_header:?}" \
-url "${ocsp_uri:?got empty OCSP URI}" \
-issuer "${TMPDIR:?}/issuer.pem" \
-cert "${TMPDIR:?}/ourcert.pem" \
-CAfile "${CAFile:?}" \
-verify_other "${crtfile}" \
-no_nonce \
-respout "$output"
This has been working fine with being invoked every other day for the past couple of months, so the core functionality works fine.
This is not used with a webserver (except for handling the challenge) but with the Exim MTA, as stated. A mail-server, speaking SMTP. No changes have been made recently other than the mentioned cert renewal.
Output is some text from ed splitting the certs (because at two months this is new enough that I’m still watching cron output mails instead of making them less verbose), followed by the exact error I cited in my post:
Responder Error: unauthorized (6)