Renewal with lua-resty-auto-ssl and dehydrated client


#1

Getting the following error:

2018/06/17 20:10:34 [debug] 16#16: *3 [lua] http.lua:633: send_request():
POST / HTTP/1.1                                                                        
Content-Type: application/ocsp-request                                                             
User-Agent: lua-resty-http/0.12 (Lua) ngx_lua/10011                                               
Content-Length: 85                                                                        
Host: ocsp.int-x3.letsencrypt.org                                                             
                                                                                                                        
                                                                                                                        
2018/06/17 20:10:34 [info] 16#16: *2 SSL_do_handshake() failed (SSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:SSL alert number 45) while SSL handshaking, client: 10.138.0.4, server: 0.0.0.0:443

Visiting ocsp.int-x3.letsencrypt.org yields the attached.


#2

OCSP services are typically not used or made available over HTTPS, because the response they send is already signed by the CA so it cannot be tampered with, and there’s a bit of a chicken-or-egg problem with checking if the certificate of the OCSP server itself has been revoked.

For this reason, the Let’s Encrypt OCSP servers are not made available over HTTPS, and the URL to it embeedded in every certificate uses plain http.

Did you by chance override the OCSP URL in your OpenResty configuration somewhere?

I’m not sure why it would attempt to connect to the OCSP server over HTTPS without being explicitly told to do so. Since it’s never worked there’s no reason for them to default it that way, and the URL in the certificates themselves use HTTP so they can’t get it from there either.


#3

Hey Patches,

Thank you for your response. This configuration had been working for the past year or so and there has not been any recent changes. I am using the default configuration with no overrides. Looks like its getting the url from the cert:

but OCSP_FETCH also defaults to “no” so I am not sure why its even attempting the ocsp fetch. I will continue to look at it further.


#4

The error is coming from OpenResty, not dehydrated, right?

So you’ll be wanting to look at the OpenResty module’s source code instead:

I’m actually not even sure whether the error message:

even has anything to do with OCSP.

alert certificate expired and server: 0.0.0.0:443 would lead me to guess that it’s your own server’s certificate that’s expired (or possibly someone tried to connect with an expired client certificate).

The OCSP debug log is just a red herring and is functioning fine.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.