Revocation status and DNS CAA - OCSP ERROR

Hi there,

I currently have Let’s Encrypt installed on my Ubuntu 16.04 server. I had to reinstall the ssl certificate and edit the conf file in sites-available as the domain changed. The domain is working both with http and https, however, this was generated in the report for www and non-www:

Revocation status:
Validation error
OCSP ERROR: Exception: Connection refused [http://ocsp.int-x3.letsencrypt.org]


DNS CAA
No

Is there anything I should be worried about?

Hi @josefarrugia,

I can't see any outage/issue regarding ocsp in https://letsencrypt.status.io/ and I tested it a few minutes ago and I can check the ocsp response for one of my certs.

Can you connect to http://ocsp.int-x3.letsencrypt.org from that Ubuntu server?.

curl -ikL http://ocsp.int-x3.letsencrypt.org

You should see something like this:

$ curl -ikL http://ocsp.int-x3.letsencrypt.org
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Cache-Control: max-age=9369
Expires: Wed, 11 Oct 2017 12:45:44 GMT
Date: Wed, 11 Oct 2017 10:09:35 GMT
Connection: keep-alive

Also, you can check the ocsp response for one of your certs. For example, let's say your domain is domain.tld, so to check it you can do this:

cd /etc/letsencrypt/live/domain.tld/
openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -VAfile chain.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host ocsp.int-x3.letsencrypt.org

If you are using stapling on your web server and it can't connect to the url to check the certs, yes, you could have a problem.

Cheers,
sahsanu

1 Like

What is the tool that produced that report?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.