What if Let's Encrypt goes down? - OCSP Stapling


#1

Hello Everyone, :slight_smile:

I’ve enabled Online Certificate Status Protocol (OCSP) stapling on my servers and I would like to know what happens when lets encrypt goes down?

I know that SSL will still function but since I have OCSP stapling enabled, it won’t be able to connect to Let’s Encrypt servers to verify my SSL.

Please share your thoughts / experiences


#2

@Neutralizer, I believe you have it backwards here, at least if you’re talking about a user’s experience visiting your site: OCSP stapling means that the OCSP response data is sent by your server along with the certificate, so that a visitor’s browser doesn’t have to query the Let’s Encrypt OCSP servers to check that your certificate is still valid. In this regard, OCSP stapling should make your site’s availability better, not worse, in case of a Let’s Encrypt outage.


#4

Unless the web server seeks the OCSP response when the LE OCSP servers are down. It happened once when all the LE OCSP servers suddenly went into maintenence. Some of the domains had no valid OCSP responses with the certificates and FireFox deemed them invalid for the rest of the maintenence.


#5

This is a misfeature in some server software, unfortunately including (at least by default) the Apache httpd.

What a good server should do is remember the last OCSP Good response it has, even when restarted, and provide that until it expires, meanwhile trying periodically to get a fresher Good response.

Ryan Sleevi wrote about this here: https://gist.github.com/sleevi/5efe9ef98961ecfb4da8


#6

Standard revocation checking isn’t working, but OCSP Must Staple is a big improvement. Should be the new standard way of revocation checking if you ask me… But if there’s an outage… :wink:


#7

@osiris could you please help me with this site registered under letsencrypt as i am having issue with it.thanks


#8

Taskmine.club that’s it


#9

For help with a specific problem, not related to this thread, you should start a new thread, including answering the question template when presented.


#10

Thank you very much am very grateful


#11

That would tell me that CAs should ensure their OCSP infrastructure has redundancy and that maintenance never happens on all machines at once.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.