Still seeing intermittent OCSP errors

Hi,

In the aftermath of today's OCSP issues, I'm still experiencing intermittent problems as of 04:00 UTC August 24th. I'm not able to reproduce this on demand; some sites will load fine once or twice, then a few minutes later they won't load, with Firefox 61.0.1 giving me the following error:

Secure Connection Failed

An error occurred during a connection to certbot.eff.org. The OCSP server has refused this request as unauthorized. Error code: SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

Screenshot of this error on certbot.eff.org

I'm seeing this on a variety of sites e.g. wreg.com, the certbot client site at certbot.eff.org, and several of my own domains. The certificates all seem good, but it looks like the OCSP server is still generating occasional false "unauthorized" responses. If I set Firefox's preference security.OCSP.require to false, I can bypass the errors, but I prefer to keep this setting turned on.

Looking at my DNS logs, my browser is making its OCSP requests to ocsp.int-x3.letsencrypt.org, which CNAMEs to a771.dscq.akamai.net, which from my location has two A records, 165.254.107.111 and 165.254.107.242. Are there any known ongoing issues with these servers?

I’m still seeing those errors from germany, too.
My nginx logs:

2018/08/24 08:15:09 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:12 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:14 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:39 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:47 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:54 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

Ping @lestaff for investigation for these OCSP errors still happening

I asked our operations team to investigate.

1 Like

@user-373fb5562d @mastercool To clarify: are you still seeing these unauthorized responses? I’m not able to reproduce locally and I suspect the problem may be caching at the CDN layer localized to some regions.

Thanks for checking into this! So far so good this morning, I haven’t encountered the error again.

Great - I suspect the incorrect unauthorized responses expired from the cache. Your initial post was almost exactly 12 hours ago and that's the cache lifetime for the OCSP responses at the CDN edge :slight_smile:

Thanks for your patience with this incident and its aftermath.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.