Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: yachats.photos
I ran this command:
acme.sh --issue --domain 'yachats.photos' --dns 'dns_gd' --domain '*.yachats.photos' --dns 'dns_gd' --home '/tmp/acme/Yachats.Photos/' --accountconf '/tmp/acme/Yachats.Photos/accountconf.conf' --force --reloadCmd '/tmp/acme/Yachats.Photos/reloadcmd.sh' --ocsp-must-staple --log-level 3 --log '/tmp/acme/Yachats.Photos/acme_issuecert.log'
It produced this output:
Apr 8 03:16:59 ACME 52465 [Thu Apr 8 03:16:58 PDT 2021] Downloading cert.
Apr 8 03:16:59 ACME 52465 [Thu Apr 8 03:16:58 PDT 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03768a3f8b350590003375dd0f31ae06bc73'
Apr 8 03:16:59 ACME 52465 [Thu Apr 8 03:16:59 PDT 2021] Cert success.
My web server is (include version): Apache 2.4.?
The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS
My hosting provider, if applicable, is: Self Hosted
I can login to a root shell on my machine (yes or no, or I don't know): Yup
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): acme.sh
Got this error loading site after cert renewal today:
Turned off " security.ssl.enable_ocsp_must_staple" in firefox to access site.
Based on this KB article:
https://support.mozilla.org/en-US/questions/1149911
So I suppose my question is Whats going on with OCSP verification?
root:toto ~ >> curl -Iki ocsp.root-x1.letsencrypt.org
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=37233
Expires: Fri, 09 Apr 2021 13:08:50 GMT
Date: Fri, 09 Apr 2021 02:48:17 GMT
Connection: keep-alive
root:toto ~ >> curl -Iki ocsp.int-x3.letsencrypt.org
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=5869
Expires: Fri, 09 Apr 2021 04:29:03 GMT
Date: Fri, 09 Apr 2021 02:51:14 GMT
Connection: keep-alive
root:toto ~ >> curl -Iki ocsp.int-x4.letsencrypt.org
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=35258
Expires: Fri, 09 Apr 2021 12:40:06 GMT
Date: Fri, 09 Apr 2021 02:52:28 GMT
Connection: keep-alive
Ideas?