SSL error : OCSP error

dbareket · April 27, 2020, 5:45pm

Hi - I get OCSP error on my domain: https://pandachocolates.com
What can I do to solve it?
Thanks,
Daniel

Osiris · April 27, 2020, 5:58pm

What’s the exact error? I can’t reproduce it.

Also, OCSP seems to be working fine with your certificate:

osiris@erazer ~ $ openssl ocsp -issuer lets-encrypt-x3-cross-signed.pem.txt -cert endleaf.pem -text -url http://ocsp.int-x3.letsencrypt.org
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 034E2AB3D1FBA2B4D12013BF45AA23430BAE
    Request Extensions:
        OCSP Nonce: 
            04107A44BE10FBA159CD4570D40948BE5CB3
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Apr 25 20:45:00 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 034E2AB3D1FBA2B4D12013BF45AA23430BAE
    Cert Status: good
    This Update: Apr 25 20:00:00 2020 GMT
    Next Update: May  2 20:00:00 2020 GMT

    Signature Algorithm: sha256WithRSAEncryption
         53:d7:a7:c3:4f:6a:22:c2:80:07:b7:ba:51:1d:67:0d:5a:49:
         b3:37:77:fd:0f:3a:f3:72:b7:22:3a:4d:99:37:41:1a:1c:b5:
         f9:e1:64:fb:d9:bd:86:ef:db:61:f9:ab:f8:8c:3b:41:20:44:
         4c:f4:7c:d9:b0:b6:b4:9e:32:89:c8:62:5a:98:e7:62:7f:6d:
         c8:1c:42:e3:22:b1:eb:53:21:d3:47:0d:51:05:7e:76:f8:b1:
         0e:2f:86:69:a8:a4:cf:66:7f:eb:04:4a:11:da:40:71:f5:2a:
         6c:1f:39:d5:25:35:5a:76:77:46:dd:93:a1:d9:70:3d:71:a5:
         0e:f1:db:66:78:8c:7d:eb:ed:57:19:36:c4:d8:48:18:40:8c:
         10:56:8c:26:3d:e9:48:01:64:2c:8d:00:ad:bb:62:73:a5:0c:
         92:4c:6a:a9:78:da:ce:f5:3e:ba:fa:29:71:36:fa:08:72:a4:
         48:97:e5:26:28:31:90:c0:21:89:1c:66:8a:24:1f:a1:d7:b3:
         73:ce:3d:9e:61:12:15:41:98:9f:51:50:dd:ad:94:03:16:0a:
         59:c5:59:1e:f4:76:01:f6:a5:f2:60:5e:e6:8c:e2:6c:6d:11:
         9a:a4:77:21:d9:ca:39:64:e3:f5:0b:54:16:31:31:ff:de:26:
         5d:de:0b:87
WARNING: no nonce in response
Response verify OK
endleaf.pem: good
	This Update: Apr 25 20:00:00 2020 GMT
	Next Update: May  2 20:00:00 2020 GMT
osiris@erazer ~ $

dbareket · April 27, 2020, 6:29pm

OCSP STAPLING ERROR: OCSP response expired on Fri Apr 17 20:00:00 UTC 2020

see https://www.ssllabs.com/ssltest/analyze.html?d=pandachocolates.com

Osiris · April 27, 2020, 6:31pm

That’s a stapling error. So your webserver failed to renew its cached OCSP response from the Let’s Encrypt servers. Look into your webserver error logs and try to find out why that happened.

system · May 27, 2020, 6:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.