Still seeing intermittent OCSP errors

user-373fb5562d · August 24, 2018, 4:16am

Hi,

In the aftermath of today's OCSP issues, I'm still experiencing intermittent problems as of 04:00 UTC August 24th. I'm not able to reproduce this on demand; some sites will load fine once or twice, then a few minutes later they won't load, with Firefox 61.0.1 giving me the following error:

Secure Connection Failed

An error occurred during a connection to certbot.eff.org. The OCSP server has refused this request as unauthorized. Error code: SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

Screenshot of this error on certbot.eff.org

I'm seeing this on a variety of sites e.g. wreg.com, the certbot client site at certbot.eff.org, and several of my own domains. The certificates all seem good, but it looks like the OCSP server is still generating occasional false "unauthorized" responses. If I set Firefox's preference security.OCSP.require to false, I can bypass the errors, but I prefer to keep this setting turned on.

Looking at my DNS logs, my browser is making its OCSP requests to ocsp.int-x3.letsencrypt.org, which CNAMEs to a771.dscq.akamai.net, which from my location has two A records, 165.254.107.111 and 165.254.107.242. Are there any known ongoing issues with these servers?

mastercool · August 24, 2018, 6:28am

I’m still seeing those errors from germany, too.
My nginx logs:

2018/08/24 08:15:09 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:12 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:14 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:39 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:47 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2018/08/24 08:15:54 [error] 12948#12948: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

tdelmas · August 24, 2018, 8:59am

Ping @lestaff for investigation for these OCSP errors still happening

cpu · August 24, 2018, 1:10pm

I asked our operations team to investigate.

cpu · August 24, 2018, 1:39pm

@user-373fb5562d @mastercool To clarify: are you still seeing these unauthorized responses? I’m not able to reproduce locally and I suspect the problem may be caching at the CDN layer localized to some regions.

user-373fb5562d · August 24, 2018, 4:14pm

Thanks for checking into this! So far so good this morning, I haven’t encountered the error again.

cpu · August 24, 2018, 4:42pm

Great - I suspect the incorrect unauthorized responses expired from the cache. Your initial post was almost exactly 12 hours ago and that's the cache lifetime for the OCSP responses at the CDN edge

Thanks for your patience with this incident and its aftermath.

system · September 23, 2018, 4:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.