In the aftermath of today's OCSP issues, I'm still experiencing intermittent problems as of 04:00 UTC August 24th. I'm not able to reproduce this on demand; some sites will load fine once or twice, then a few minutes later they won't load, with Firefox 61.0.1 giving me the following error:
Secure Connection Failed
An error occurred during a connection to certbot.eff.org. The OCSP server has refused this request as unauthorized. Error code: SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
I'm seeing this on a variety of sites e.g. wreg.com, the certbot client site at certbot.eff.org, and several of my own domains. The certificates all seem good, but it looks like the OCSP server is still generating occasional false "unauthorized" responses. If I set Firefox's preference security.OCSP.require to false, I can bypass the errors, but I prefer to keep this setting turned on.
Looking at my DNS logs, my browser is making its OCSP requests to ocsp.int-x3.letsencrypt.org, which CNAMEs to a771.dscq.akamai.net, which from my location has two A records, 165.254.107.111 and 165.254.107.242. Are there any known ongoing issues with these servers?
@user-373fb5562d@mastercool To clarify: are you still seeing these unauthorized responses? I’m not able to reproduce locally and I suspect the problem may be caching at the CDN layer localized to some regions.
Great - I suspect the incorrect unauthorized responses expired from the cache. Your initial post was almost exactly 12 hours ago and that's the cache lifetime for the OCSP responses at the CDN edge
Thanks for your patience with this incident and its aftermath.