Random OCSP timeouts

Hi all,

we’re using this check_ssl_cert nagios plugin to check the validity of our LE certs. We frequently get timeouts contacting ocsp.int-x3.letsencrypt.org. I checked https://letsencrypt.status.io/, nothing. DNS resolution is working properly, traceroute gets to ecix-dus2.netarch.akamai.com (194.146.118.147) and then stalls. Right now I’m looking for further ways to investigate. If you need any more information, please let me know.

Hi @mumpitz,

I will ask one of our SREs to take a look at this thread. Thanks!

@mumpitz
Would you be able to provide a domain you’re checking so we can do some digging in Akamai? Does the check script give back any sort of error message besides a timeout?

1 Like

Sure: newsradar.de for example. The command run by the script is /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_ssl_certaQ6P7q -cert /tmp/check_ssl_certnGCI1o -url http://ocsp.int-x3.letsencrypt.org -header HOST=ocsp.int-x3.letsencrypt.org and sometimes it eventually fails with this:

[DBG] OCSP: response = Error connecting BIO
[DBG] OCSP: response = Error querying OCSP responder
[DBG] OCSP: response = 140437926040960:error:02002065:system library:connect:Network is unreachable:…/crypto/bio/b_sock2.c:108:
[DBG] OCSP: response = 140437926040960:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:109:
[DBG] OCSP: response = 140437926040960:error:02002065:system library:connect:Network is unreachable:…/crypto/bio/bss_conn.c:169:hostname=ocsp.int-x3.letsencrypt.org service=80
[DBG] OCSP: response = 140437926040960:error:20073067:BIO routines:conn_state:connect error:…/crypto/bio/bss_conn.c:173:

@mumpitz
Is it only from one geographic location that you’re experiencing this? Just out of curiosity can you use the Akamai tool linked below to verify that Akamai hasn’t blocked your monitoring servers IP address. It seems farfetched, but just ruling that out as a possibility.
https://www.akamai.com/us/en/clientrep-lookup/?language=en_US

Using v1.84.0 of check_ssl_cert returns the similar content from different network vantage points for me.

$ ./check_ssl_cert -H newsradar.de -d
[DBG] ROOT_CA = 
[DBG] cURL binary needed. SSL Labs = , OCSP = 1
[DBG] cURL binary not specified
[DBG] cURL available: /usr/bin/curl
expect not available
timeout available (/usr/bin/timeout)
[DBG] perl available: /home/xxxx/.plenv/shims/perl
[DBG] date available: /usr/bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_cert version: 1.84.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
[DBG] OpenSSL configuration directory: /etc/pki/tls
[DBG] 133 root certificates installed by default
[DBG] System info: Linux xxxxxxx
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername newsradar.de
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost newsradar.de
[DBG] temporary file /tmp/check_ssl_cert9KdIAy created
[DBG] temporary file /tmp/check_ssl_certPzg05D created
[DBG] temporary file /tmp/check_ssl_certNW5gr0 created
[DBG] temporary file /tmp/check_ssl_cert798WSg created
downloading certificate to /tmp
[DBG] newsradar.de is not an IP address
[DBG] executing with timeout (15s): echo 'HEAD / HTTP/1.1\nHost: newsradar.de\nUser-Agent: check_ssl_cert/1.84.0\nConnection: close\n\n' | /usr/bin/openssl s_client   -crlf -ign_eof -connect newsradar.de:443 -servername newsradar.de -showcerts -verify 6     2> /tmp/check_ssl_certPzg05D 1> /tmp/check_ssl_cert9KdIAy
[DBG]   /usr/bin/timeout 15 /bin/sh -c "echo 'HEAD / HTTP/1.1\nHost: newsradar.de\nUser-Agent: check_ssl_cert/1.84.0\nConnection: close\n\n' | /usr/bin/openssl s_client   -crlf -ign_eof -connect newsradar.de:443 -servername newsradar.de -showcerts -verify 6     2> /tmp/check_ssl_certPzg05D 1> /tmp/check_ssl_cert9KdIAy"
[DBG] storing a copy of the retrieved certificate in newsradar.de.crt
[DBG] storing a copy of the OpenSSL errors in newsradar.de.error
parsing the x509 certificate file
[DBG] subject= CN = newsradar.de
[DBG] CN         = newsradar.de
[DBG] CA         = Let's Encrypt Authority X3
[DBG] CA         = DST Root CA X3
[DBG] SERIAL     = 0359A8442B724084A234BC79398F3908CC74
[DBG] FINGERPRINT= 9F:38:50:7C:F7:C3:DE:EC:B1:97:7B:80:26:D4:C6:56:DC:6A:52:EF
[DBG] OCSP_URI   = http://ocsp.int-x3.letsencrypt.org
[DBG] ISSUER_URI = http://cert.int-x3.letsencrypt.org/
[DBG]     Signature Algorithm: sha256WithRSAEncryption
[DBG] Date computations: GNU
The certificate will expire in 62 day(s)
[DBG] subjectAlternativeName = newsradar.de
[DBG] Checking expiration date
[DBG] Checking revokation via OCSP
[DBG] OCSP: fetching issuer certificate http://cert.int-x3.letsencrypt.org/ to /tmp/check_ssl_certNW5gr0
[DBG] executing with timeout (15s): /usr/bin/curl --silent --location http://cert.int-x3.letsencrypt.org/ > /tmp/check_ssl_certNW5gr0
[DBG]   /usr/bin/timeout 15 /bin/sh -c "/usr/bin/curl --silent --location http://cert.int-x3.letsencrypt.org/ > /tmp/check_ssl_certNW5gr0"
[DBG] OCSP: issuer certificate type:  data
[DBG] OCSP: converting issuer certificate from DER to PEM
[DBG] OCSP: storing a copy of the retrieved issuer certificate to cert.int-x3.letsencrypt.org
[DBG] OCSP: host = ocsp.int-x3.letsencrypt.org
[DBG] openssl ocsp supports the -header option
[DBG] openssl ocsp -header requires 'key value'
[DBG] executing /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_ssl_certNW5gr0 -cert /tmp/check_ssl_cert9KdIAy  -url http://ocsp.int-x3.letsencrypt.org  -header HOST ocsp.int-x3.letsencrypt.org
[DBG] OCSP: response = Response Verify Failure
[DBG] OCSP: response = 139760171145104:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:
[DBG] OCSP: response = /tmp/check_ssl_cert9KdIAy: good
[DBG] OCSP: response = 	This Update: Mar 27 21:00:00 2019 GMT
[DBG] OCSP: response = 	Next Update: Apr  3 21:00:00 2019 GMT
SSL_CERT OK - x509 certificate 'newsradar.de' from 'Let's Encrypt Authority X3' valid until May 29 20:11:15 2019 GMT (expires in 62 days)|days=62;;;;
[DBG] cleaning up temporary files
[DBG]   /tmp/check_ssl_cert9KdIAy
[DBG]   /tmp/check_ssl_certPzg05D
[DBG]   /tmp/check_ssl_certNW5gr0
[DBG]   /tmp/check_ssl_cert798WSg

Hi,
thanks for this post. We have the same issue with the ocsp timeouts. Our monitoring server are located in cologne, germany. But we also have problemens with request new certs from letsencrypt. The problems starts so on monday.

Here is an error message from dehydrated, but the most time its an timeout:

+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Apr 24 09:55:22 2019 GMT (Less than 30 days). Renewing!
+ Signing domains...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)

Details:
HTTP/1.1 100 Continue
Expires: Fri, 29 Mar 2019 06:00:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 169
Boulder-Requester: 2327412
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Expires: Fri, 29 Mar 2019 06:00:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 29 Mar 2019 06:00:01 GMT
Connection: close

{
  "type": "urn:ietf:params:acme:error:badNonce",
  "detail": "JWS has an invalid anti-replay nonce: \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"",
  "status": 400
}

I’ve checked one of my certs with the “check_ssl_cert” and here is my result:

[root@icinga ~]# ./check_ssl_cert -H bitbucket.kernarea.de -d
[DBG] ROOT_CA = 
[DBG] cURL binary needed. SSL Labs = , OCSP = 1
[DBG] cURL binary not specified
[DBG] cURL available: /usr/bin/curl
expect not available
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_cert version: 1.84.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
[DBG] OpenSSL configuration directory: /etc/pki/tls
[DBG] 133 root certificates installed by default
[DBG] System info: Linux icinga.kernarea.de 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername bitbucket.kernarea.de
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost bitbucket.kernarea.de
[DBG] temporary file /tmp/check_ssl_certNmlj2x created
[DBG] temporary file /tmp/check_ssl_certjhj3W8 created
[DBG] temporary file /tmp/check_ssl_cert9NK6Za created
[DBG] temporary file /tmp/check_ssl_certFoCt6M created
downloading certificate to /tmp
[DBG] bitbucket.kernarea.de is not an IP address
[DBG] executing with timeout (15s): echo 'HEAD / HTTP/1.1\nHost: bitbucket.kernarea.de\nUser-Agent: check_ssl_cert/1.84.0\nConnection: close\n\n' | /usr/bin/openssl s_client   -crlf -ign_eof -connect bitbucket.kernarea.de:443 -servername bitbucket.kernarea.de -showcerts -verify 6     2> /tmp/check_ssl_certjhj3W8 1> /tmp/check_ssl_certNmlj2x
[DBG]   /usr/bin/timeout 15 /bin/sh -c "echo 'HEAD / HTTP/1.1\nHost: bitbucket.kernarea.de\nUser-Agent: check_ssl_cert/1.84.0\nConnection: close\n\n' | /usr/bin/openssl s_client   -crlf -ign_eof -connect bitbucket.kernarea.de:443 -servername bitbucket.kernarea.de -showcerts -verify 6     2> /tmp/check_ssl_certjhj3W8 1> /tmp/check_ssl_certNmlj2x"
[DBG] storing a copy of the retrieved certificate in bitbucket.kernarea.de.crt
[DBG] storing a copy of the OpenSSL errors in bitbucket.kernarea.de.error
parsing the x509 certificate file
[DBG] subject= CN = stash.kernarea.de
[DBG] CN         = stash.kernarea.de
[DBG] CA         = Let's Encrypt Authority X3
[DBG] CA         = DST Root CA X3
[DBG] SERIAL     = 03025B68EBB78D49CCE5E22B2A7EFB7FE775
[DBG] FINGERPRINT= 50:4D:B6:DC:D4:9D:7F:DF:4C:34:A0:4F:31:52:C5:6C:B6:DE:38:C3
[DBG] OCSP_URI   = http://ocsp.int-x3.letsencrypt.org
[DBG] ISSUER_URI = http://cert.int-x3.letsencrypt.org/
[DBG]     Signature Algorithm: sha256WithRSAEncryption
[DBG] Date computations: GNU
The certificate will expire in 44 day(s)
[DBG] subjectAlternativeName = bitbucket.kernarea.de stash.kernarea.de
[DBG] Checking expiration date
[DBG] Checking revokation via OCSP
[DBG] OCSP: fetching issuer certificate http://cert.int-x3.letsencrypt.org/ to /tmp/check_ssl_cert9NK6Za
[DBG] executing with timeout (15s): /usr/bin/curl --silent --location http://cert.int-x3.letsencrypt.org/ > /tmp/check_ssl_cert9NK6Za
[DBG]   /usr/bin/timeout 15 /bin/sh -c "/usr/bin/curl --silent --location http://cert.int-x3.letsencrypt.org/ > /tmp/check_ssl_cert9NK6Za"
[DBG] OCSP: issuer certificate type:  empty
[DBG] cleaning up temporary files
[DBG]   /tmp/check_ssl_certNmlj2x
[DBG]   /tmp/check_ssl_certjhj3W8
[DBG]   /tmp/check_ssl_cert9NK6Za
[DBG]   /tmp/check_ssl_certFoCt6M
SSL_CERT UNKNOWN bitbucket.kernarea.de: Unable to fetch a valid certificate issuer certificate.

@Phil

  1. I checked Akamais clientrep tool. Tried several times, about half the time I got an error from the site, the other times it said my IP was not marked with bad rep. About the frequent site errors I’m in the process of opening a community thread at Akami’s. Takes some time to register an account though, will keep you posted here.
  2. I ran the script from IPs from the US and from Cologne, Germany (we’re in Düsseldorf, Germany)- seems to run without problems.
  3. The script seems to end in 3 states:
    a. Cannot reach servers/ timeout:

[DBG] OCSP: response = Error connecting BIO
[DBG] OCSP: response = Error querying OCSP responsder

b. Cert not found:

[DBG] OCSP: response = Response Verify Failure
[DBG] OCSP: response = 139778640934560:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85:

c. All good (expected!):

[DBG] OCSP: response = Response verify OK

It’s strange you’re experiencing 2b, though… that points to the ocsp servers, but the other observations point to connectivity issues from our data center to Akamai…

@giuliano
I’m experiencing the same issues with your cert check as in my reply- from Cologne and the US all is working, from our data center same mix of successes and failures.

@mumpitz
correct, the other location from us (frankfurt, germany) is working too.

Just as an update, I’ve been keeping an eye on this and am awaiting a response from Akamai. Can you both provide output from mtr -r -c 50 from your affected locations/datacenters? I’ll follow up when I hear back from them. Thank you both for being patient.

1 Like

Hi @Phil,
here is my mtr from cologne, germany:

[gschindler@nb-040 ~]$ mtr -n -r -4 -c 50 acme-v02.api.letsencrypt.org
Start: Tue Apr  2 06:57:28 2019
HOST: nb-040.kernarea.de          Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 192.168.xxx.xxx            0.0%    50    2.0   3.2   0.6  49.9   8.7
  2.|-- 10.xxx.xxx.xxx             0.0%    50    0.5   0.3   0.2   0.5   0.0
  3.|-- 10.xxx.xxx.xxx              0.0%    50    0.5   0.4   0.3   0.6   0.0
  4.|-- 195.14.208.49              0.0%    50    1.1   1.0   0.8   1.4   0.0
  5.|-- 78.35.29.65                0.0%    50    0.9   1.9   0.8  27.8   3.9
  6.|-- 89.1.16.125                0.0%    50    1.1   1.7   0.9  16.1   2.6
  7.|-- 81.173.192.114             0.0%    50    1.4   4.8   0.9  46.4  11.0
  8.|-- 194.146.118.84             0.0%    50  220.1  69.4   2.5 453.6 102.1
  9.|-- 23.60.203.157              0.0%    50    2.1   2.0   1.7   2.2   0.0
[gschindler@nb-040 ~]$ 
[gschindler@nb-040 ~]$ mtr -n -r -4 -c 50 ocsp.int-x3.letsencrypt.org
Start: Tue Apr  2 07:03:06 2019
HOST: nb-040.kernarea.de          Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 192.168.xxx.xxx            0.0%    50    0.8   5.9   0.6 117.3  18.7
  2.|-- 10.xxx.xxx.xxx             0.0%    50    0.3   0.3   0.2   0.5   0.0
  3.|-- 10.xxx.xxx.xxx               0.0%    50    0.4   0.5   0.3   0.6   0.0
  4.|-- 195.14.208.49              0.0%    50    0.9   1.0   0.8   1.4   0.0
  5.|-- 78.35.29.65                0.0%    50    1.6   1.4   0.7  10.3   1.5
  6.|-- 89.1.16.129                0.0%    50    1.1   1.7   0.9  16.8   2.8
  7.|-- 81.173.192.118             0.0%    50    1.1   4.1   1.0  51.1  10.0
  8.|-- 194.146.118.84             0.0%    50  134.1  14.3   2.2 134.1  23.6
  9.|-- 2.16.100.114               0.0%    50    2.0   2.0   1.9   2.3   0.0
[gschindler@nb-040 ~]$
1 Like
$ mtr -n -r -4 -c 50 ocsp.int-x3.letsencrypt.org
Start: Tue Apr  2 10:30:47 2019
HOST: icinga2-client1             Loss%   Snt   Last   Avg  Best  Wrst StDev
1.|-- 217.113.37.222            44.0%    50    0.2   0.3   0.2   1.4   0.2
2.|-- 217.113.43.254             0.0%    50    0.5  17.6   0.4 114.4  35.3
3.|-- ???                       100.0    50    0.0   0.0   0.0   0.0   0.0
4.|-- 95.101.90.129              0.0%    50    0.4   0.9   0.3   6.7   1.3
$ mtr -n -r -4 -c 50 acme-v02.api.letsencrypt.org
Start: Tue Apr  2 10:32:27 2019
HOST: icinga2-client1             Loss%   Snt   Last   Avg  Best  Wrst StDev
1.|-- 217.113.37.222            40.0%    50    0.2   0.5   0.2   4.5   0.8
2.|-- 217.113.43.254             0.0%    50    0.5  36.8   0.3 187.2  59.0
3.|-- 194.146.118.84             0.0%    50   12.5  11.6   1.0 121.2  18.8
4.|-- 23.60.203.157              0.0%    50    2.2   2.1   0.3  10.4   2.3
1 Like

Thank you both @mumpitz and @giuliano.

Can you also run the following commands from your affected datacenters with the Akamai pragma headers set and provide the full output?

curl -vv -H "Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace" https://acme-v02.api.letsencrypt.org/directory
curl -vv -H "Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace" http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== > temp.rsp; openssl ocsp -noverify -text -respin temp.rsp

Hi @Phil,
here are my info:

[root@icinga ~]# curl -4 -vv -H "Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace" https://acme-v02.api.letsencrypt.org/directory
* About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*   Trying 23.60.203.157...
* Connected to acme-v02.api.letsencrypt.org (23.60.203.157) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=acme-v02.api.letsencrypt.org
* 	start date: Mär 01 04:24:29 2019 GMT
* 	expire date: Mai 30 04:24:29 2019 GMT
* 	common name: acme-v02.api.letsencrypt.org
* 	issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET /directory HTTP/1.1
> User-Agent: curl/7.29.0
> Host: acme-v02.api.letsencrypt.org
> Accept: */*
> Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace
> 
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 658
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< X-Akamai-SSL-Client-Sid: S2qXhEz0fR0joLX7N/QXTw==
< X-Check-Cacheable: NO
< X-Akamai-Request-ID: 2eaea7c1.2b778d70
< Expires: Tue, 02 Apr 2019 14:51:09 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Tue, 02 Apr 2019 14:51:09 GMT
< X-Cache: TCP_MISS from a2-16-101-13.deploy.akamaitechnologies.com (AkamaiGHost/9.6.0-24900238) (-)
< X-Cache-Key: S/D/14990/432721/000/origin-2pvah7paghah4iu6P.api.letsencrypt.org/directory
< X-Cache-Key-Extended-Internal-Use-Only: S/D/14990/432721/000/origin-2pvah7paghah4iu6P.api.letsencrypt.org/directory vcd=10106
< X-True-Cache-Key: /D/000/origin-2pvah7paghah4iu6P.api.letsencrypt.org/directory vcd=10106
< X-Akamai-Session-Info: name=AKA_PM_BASEDIR; value=
< X-Akamai-Session-Info: name=AKA_PM_CACHEABLE_OBJECT; value=false
< X-Akamai-Session-Info: name=AKA_PM_FWD_URL; value=/directory
< X-Akamai-Session-Info: name=AKA_PM_NETSTORAGE_ROOT; value=
< X-Akamai-Session-Info: name=AKA_PM_PREFETCH_ON; value=true
< X-Akamai-Session-Info: name=AKA_PM_RUM_ENABLED; value=off
< X-Akamai-Session-Info: name=AKA_PM_SR_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_MAP_PREFIX; value=ch2
< X-Akamai-Session-Info: name=ANS_PEARL_VERSION; value=0.9.0
< X-Akamai-Session-Info: name=ENABLE_SD_POC; value=yes
< X-Akamai-Session-Info: name=FASTTCP_RENO_FALLBACK_DISABLE_OPTOUT; value=on
< X-Akamai-Session-Info: name=HEADER_NAMES; value=User-Agent%3aHost%3aAccept%3aPragma; full_location_id=
< X-Akamai-Session-Info: name=OVERRIDE_HTTPS_IE_CACHE_BUST; value=all
< X-Akamai-Session-Info: name=PMUSER_IP_HASH; value=282
< X-Akamai-Session-Info: name=SEC_CLIENT_IP_ASNUM_MASK_SIZE; value=64
< X-Akamai-Session-Info: name=SEC_XFF_ASNUM_MASK_SIZE; value=64
< X-Akamai-Session-Info: name=TAP_GUID; value=
< X-Akamai-Session-Info: name=TAP_KEY_ID; value=
< X-Akamai-Session-Info: name=TCP_OPT_APPLIED; value=medium
< X-Serial: 14990
< X-Akamai-SSL-Client-Sid: HMbi00ZzAcUefzCI8G6KnA==
< Connection: keep-alive
< X-Cache-Remote: TCP_MISS from a2-16-218-45.deploy.akamaitechnologies.com (AkamaiGHost/9.6.2.0.1-25325260) (-)
< 
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "rWCvye4HflI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
}[root@icinga ~]# 
[root@icinga ~]# curl -4 -vv -H "Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace" http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== > temp.rsp; openssl ocsp -noverify -text -respin temp.rsp
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to ocsp.int-x3.letsencrypt.org port 80 (#0)
*   Trying 2.16.100.98...
* Connected to ocsp.int-x3.letsencrypt.org (2.16.100.98) port 80 (#0)
> GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ocsp.int-x3.letsencrypt.org
> Accept: */*
> Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace
> 
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/ocsp-response
< Content-Length: 546
< ETag: "77C13CDA86BF5ECF1D503E47E077741FF26C1DFF3598FFCE72024FBFED567B4C"
< Last-Modified: Thu, 23 Mar 2017 21:00:00 UTC
< X-Akamai-Request-ID: 5a3d3ff8.15437592
< Cache-Control: public, no-transform, must-revalidate, max-age=0
< Expires: Tue, 02 Apr 2019 14:52:24 GMT
< Date: Tue, 02 Apr 2019 14:52:24 GMT
< X-Cache: TCP_MISS from a2-16-100-94.deploy.akamaitechnologies.com (AkamaiGHost/9.6.0-24900238) (-)
< X-Cache-Key: /L/771/395065/12h/ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow==
< X-Cache-Key-Extended-Internal-Use-Only: /L/771/395065/12h/ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== vcd=10106
< X-True-Cache-Key: /L/ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== vcd=10106
< X-Akamai-Session-Info: name=AKA_PM_BASEDIR; value=
< X-Akamai-Session-Info: name=AKA_PM_BYPASS_MODIFY_PATH; value=true
< X-Akamai-Session-Info: name=AKA_PM_CACHEABLE_OBJECT; value=true
< X-Akamai-Session-Info: name=AKA_PM_NETSTORAGE_ROOT; value=
< X-Akamai-Session-Info: name=AKA_PM_PREFETCH_ON; value=true
< X-Akamai-Session-Info: name=AKA_PM_RUM_ENABLED; value=off
< X-Akamai-Session-Info: name=AKA_PM_SR_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_MAP_PREFIX; value=ch2
< X-Akamai-Session-Info: name=ANS_PEARL_VERSION; value=0.9.0
< X-Akamai-Session-Info: name=ENABLE_SD_POC; value=yes
< X-Akamai-Session-Info: name=FASTTCP_RENO_FALLBACK_DISABLE_OPTOUT; value=on
< X-Akamai-Session-Info: name=HEADER_NAMES; value=User-Agent%3aHost%3aAccept%3aPragma; full_location_id=
< X-Akamai-Session-Info: name=OVERRIDE_HTTPS_IE_CACHE_BUST; value=all
< X-Akamai-Session-Info: name=SEC_CLIENT_IP_ASNUM_MASK_SIZE; value=64
< X-Akamai-Session-Info: name=SEC_XFF_ASNUM_MASK_SIZE; value=64
< X-Akamai-Session-Info: name=TAP_GUID; value=
< X-Akamai-Session-Info: name=TAP_KEY_ID; value=
< X-Akamai-Session-Info: name=TCP_OPT_APPLIED; value=medium
< X-Serial: 771
< Connection: keep-alive
< X-Cache-Remote: TCP_HIT from a2-16-217-95.deploy.akamaitechnologies.com (AkamaiGHost/9.6.0-24900238) (-)
< X-Check-Cacheable: YES
< 
{ [data not shown]
100   546  100   546    0     0  15432      0 --:--:-- --:--:-- --:--:-- 15600
* Connection #0 to host ocsp.int-x3.letsencrypt.org left intact
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Mar 23 21:14:00 2017 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03D88363A753CCD6FF9B1936ACF31B03783B
    Cert Status: revoked
    Revocation Time: Dec 22 22:07:11 2016 GMT
    This Update: Mar 23 21:00:00 2017 GMT
    Next Update: Mar 30 21:00:00 2017 GMT

    Signature Algorithm: sha256WithRSAEncryption
         37:5e:bc:6e:c4:92:da:93:51:90:f7:d6:39:6c:87:3d:6b:aa:
         d1:4c:ac:bd:69:bd:d6:d5:b2:32:60:89:23:b1:16:38:70:9b:
         78:65:5c:83:be:65:52:33:4b:9c:a6:8a:ff:b5:24:58:a7:5c:
         cc:22:f6:a1:c1:a3:3e:6f:40:70:7c:cb:df:59:0b:ce:85:51:
         9f:1f:a7:40:0d:ad:bd:3a:bb:d1:3a:f0:35:f4:2f:93:bd:ca:
         d3:09:89:eb:f2:f1:e0:c9:6d:3c:d9:9b:fd:4f:71:1b:6e:61:
         81:b6:05:66:68:df:b0:c6:a3:c0:16:63:27:03:64:bc:bf:03:
         b1:85:35:d9:d0:56:01:9c:ec:05:6d:da:42:c6:a3:a2:fe:d8:
         64:d4:f5:fc:b4:33:80:0b:db:03:dd:a3:17:f8:02:c7:f4:d3:
         92:8c:9c:2f:54:1b:9f:c3:26:61:bb:ff:96:83:0e:c0:e8:64:
         22:85:b1:fe:7a:af:94:3a:bc:7e:ac:16:b8:55:88:3d:4e:a9:
         f2:16:5a:53:24:85:38:89:5b:d5:ad:f4:ad:e1:4a:72:94:c2:
         bf:ab:c3:85:61:a0:5f:27:de:c5:ca:5b:92:23:2e:72:25:c8:
         61:06:9e:3c:ca:9b:21:7d:74:2f:a6:38:bf:f4:77:b6:dc:ca:
         b5:a6:e1:a4
[root@icinga ~]#

Sure:

$ curl -vv -H "Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace" https://acme-v02.api.letsencrypt.org/directory
*   Trying 23.60.203.157...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (23.60.203.157) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Mar  1 04:24:29 2019 GMT
*  expire date: May 30 04:24:29 2019 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /directory HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
> Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace
> 
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 658
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< X-Akamai-SSL-Client-Sid: gUHiqCuA+j+FJcIqY/qZsQ==
< X-Check-Cacheable: NO
< X-Akamai-Request-ID: 33373b39.2f273b5f
< Expires: Wed, 03 Apr 2019 07:22:37 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Wed, 03 Apr 2019 07:22:37 GMT
< X-Cache: TCP_MISS from a2-16-101-13.deploy.akamaitechnologies.com (AkamaiGHost/9.6.0-24900238) (-)
< X-Cache-Key: S/D/14990/432721/000/origin-1pei3Eexu3ol4aemo.api.letsencrypt.org/directory
< X-Cache-Key-Extended-Internal-Use-Only: S/D/14990/432721/000/origin-1pei3Eexu3ol4aemo.api.letsencrypt.org/directory vcd=10106
< X-True-Cache-Key: /D/000/origin-1pei3Eexu3ol4aemo.api.letsencrypt.org/directory vcd=10106
< X-Akamai-Session-Info: name=AKA_PM_BASEDIR; value=
< X-Akamai-Session-Info: name=AKA_PM_CACHEABLE_OBJECT; value=false
< X-Akamai-Session-Info: name=AKA_PM_FWD_URL; value=/directory
< X-Akamai-Session-Info: name=AKA_PM_NETSTORAGE_ROOT; value=
< X-Akamai-Session-Info: name=AKA_PM_PREFETCH_ON; value=true
< X-Akamai-Session-Info: name=AKA_PM_RUM_ENABLED; value=off
< X-Akamai-Session-Info: name=AKA_PM_SR_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_MAP_PREFIX; value=ch2
< X-Akamai-Session-Info: name=ANS_PEARL_VERSION; value=0.9.0
< X-Akamai-Session-Info: name=ENABLE_SD_POC; value=yes
< X-Akamai-Session-Info: name=FASTTCP_RENO_FALLBACK_DISABLE_OPTOUT; value=on
< X-Akamai-Session-Info: name=HEADER_NAMES; value=Host%3aUser-Agent%3aAccept%3aPragma; full_location_id=
< X-Akamai-Session-Info: name=OVERRIDE_HTTPS_IE_CACHE_BUST; value=all
< X-Akamai-Session-Info: name=PMUSER_IP_HASH; value=134
< X-Akamai-Session-Info: name=SEC_CLIENT_IP_ASNUM_MASK_SIZE; value=64
< X-Akamai-Session-Info: name=SEC_XFF_ASNUM_MASK_SIZE; value=64
< X-Akamai-Session-Info: name=TAP_GUID; value=
< X-Akamai-Session-Info: name=TAP_KEY_ID; value=
< X-Akamai-Session-Info: name=TCP_OPT_APPLIED; value=medium
< X-Serial: 14990
< X-Akamai-SSL-Client-Sid: z2vErG3ky6A4yfOupzaNsg==
< Connection: keep-alive
< X-Cache-Remote: TCP_MISS from a2-16-218-45.deploy.akamaitechnologies.com (AkamaiGHost/9.6.2.0.1-25325260) (-)
< 
{
  "179BYtRYg2o": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Curl_http_done: called premature == 0
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

$ curl -4 -vv -H "Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace" http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== > temp.rsp; openssl ocsp -noverify -text -respin temp.rsp
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 95.101.90.129...
* TCP_NODELAY set
* Connected to ocsp.int-x3.letsencrypt.org (95.101.90.129) port 80 (#0)
> GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== HTTP/1.1
> Host: ocsp.int-x3.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
> Pragma: akamai-x-get-cache-key, akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-get-true-cache-key, akamai-x-get-extracted-values, akamai-x-check-cacheable, akamai-x-get-request-id, akamai-x-serial-no, akamai-x-get-ssl-client-session-id, akamai-x-feo-trace
> 
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/ocsp-response
< Content-Length: 546
< ETag: "77C13CDA86BF5ECF1D503E47E077741FF26C1DFF3598FFCE72024FBFED567B4C"
< Last-Modified: Thu, 23 Mar 2017 21:00:00 UTC
< X-Akamai-Request-ID: ed65f2.95cd075
< Cache-Control: public, no-transform, must-revalidate, max-age=0
< Expires: Wed, 03 Apr 2019 07:24:46 GMT
< Date: Wed, 03 Apr 2019 07:24:46 GMT
< X-Cache: TCP_MISS from a95-101-90-125.deploy.akamaitechnologies.com (AkamaiGHost/9.6.0-24900238) (-)
< X-Cache-Key: /L/771/395065/12h/ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow==
< X-Cache-Key-Extended-Internal-Use-Only: /L/771/395065/12h/ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== vcd=10106
< X-True-Cache-Key: /L/ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgPYg2OnU8zW/5sZNqzzGwN4Ow== vcd=10106
< X-Akamai-Session-Info: name=AKA_PM_BASEDIR; value=
< X-Akamai-Session-Info: name=AKA_PM_BYPASS_MODIFY_PATH; value=true
< X-Akamai-Session-Info: name=AKA_PM_CACHEABLE_OBJECT; value=true
< X-Akamai-Session-Info: name=AKA_PM_NETSTORAGE_ROOT; value=
< X-Akamai-Session-Info: name=AKA_PM_PREFETCH_ON; value=true
< X-Akamai-Session-Info: name=AKA_PM_RUM_ENABLED; value=off
< X-Akamai-Session-Info: name=AKA_PM_SR_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_ENABLED; value=false
< X-Akamai-Session-Info: name=AKA_PM_TD_MAP_PREFIX; value=ch2
< X-Akamai-Session-Info: name=ANS_PEARL_VERSION; value=0.9.0
< X-Akamai-Session-Info: name=ENABLE_SD_POC; value=yes
< X-Akamai-Session-Info: name=FASTTCP_RENO_FALLBACK_DISABLE_OPTOUT; value=on
< X-Akamai-Session-Info: name=HEADER_NAMES; value=Host%3aUser-Agent%3aAccept%3aPragma; full_location_id=
< X-Akamai-Session-Info: name=OVERRIDE_HTTPS_IE_CACHE_BUST; value=all
< X-Akamai-Session-Info: name=SEC_CLIENT_IP_ASNUM_MASK_SIZE; value=64
< X-Akamai-Session-Info: name=SEC_XFF_ASNUM_MASK_SIZE; value=64
< X-Akamai-Session-Info: name=TAP_GUID; value=
< X-Akamai-Session-Info: name=TAP_KEY_ID; value=
< X-Akamai-Session-Info: name=TCP_OPT_APPLIED; value=medium
< X-Serial: 771
< Connection: keep-alive
< X-Cache-Remote: TCP_MISS from a2-16-217-126.deploy.akamaitechnologies.com (AkamaiGHost/9.6.0-24900238) (-)
< X-Check-Cacheable: YES
< 
{ [546 bytes data]
* Curl_http_done: called premature == 0
100   546  100   546    0     0   2429      0 --:--:-- --:--:-- --:--:--  2437
* Connection #0 to host ocsp.int-x3.letsencrypt.org left intact
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Mar 23 21:14:00 2017 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03D88363A753CCD6FF9B1936ACF31B03783B
    Cert Status: revoked
    Revocation Time: Dec 22 22:07:11 2016 GMT
    This Update: Mar 23 21:00:00 2017 GMT
    Next Update: Mar 30 21:00:00 2017 GMT

    Signature Algorithm: sha256WithRSAEncryption
         37:5e:bc:6e:c4:92:da:93:51:90:f7:d6:39:6c:87:3d:6b:aa:
         d1:4c:ac:bd:69:bd:d6:d5:b2:32:60:89:23:b1:16:38:70:9b:
         78:65:5c:83:be:65:52:33:4b:9c:a6:8a:ff:b5:24:58:a7:5c:
         cc:22:f6:a1:c1:a3:3e:6f:40:70:7c:cb:df:59:0b:ce:85:51:
         9f:1f:a7:40:0d:ad:bd:3a:bb:d1:3a:f0:35:f4:2f:93:bd:ca:
         d3:09:89:eb:f2:f1:e0:c9:6d:3c:d9:9b:fd:4f:71:1b:6e:61:
         81:b6:05:66:68:df:b0:c6:a3:c0:16:63:27:03:64:bc:bf:03:
         b1:85:35:d9:d0:56:01:9c:ec:05:6d:da:42:c6:a3:a2:fe:d8:
         64:d4:f5:fc:b4:33:80:0b:db:03:dd:a3:17:f8:02:c7:f4:d3:
         92:8c:9c:2f:54:1b:9f:c3:26:61:bb:ff:96:83:0e:c0:e8:64:
         22:85:b1:fe:7a:af:94:3a:bc:7e:ac:16:b8:55:88:3d:4e:a9:
         f2:16:5a:53:24:85:38:89:5b:d5:ad:f4:ad:e1:4a:72:94:c2:
         bf:ab:c3:85:61:a0:5f:27:de:c5:ca:5b:92:23:2e:72:25:c8:
         61:06:9e:3c:ca:9b:21:7d:74:2f:a6:38:bf:f4:77:b6:dc:ca:
         b5:a6:e1:a4

Akamai stated that they have not seen anything abnormal on connections to edge servers from either of your monitoring locations. They believe it may be your local ISPs at fault since the issue is transient. To help prove if it’s Akamai or the local ISP, can you provide mtr and the curl with pragma headers when you notice issuance/OCSP checking failures? I apologize for this being a hassle.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.