What if Let's Encrypt goes down? - OCSP Stapling

Neutralizer · November 8, 2016, 11:12pm

Hello Everyone,

I’ve enabled Online Certificate Status Protocol (OCSP) stapling on my servers and I would like to know what happens when lets encrypt goes down?

I know that SSL will still function but since I have OCSP stapling enabled, it won’t be able to connect to Let’s Encrypt servers to verify my SSL.

Please share your thoughts / experiences

schoen · November 8, 2016, 11:53pm

@Neutralizer, I believe you have it backwards here, at least if you’re talking about a user’s experience visiting your site: OCSP stapling means that the OCSP response data is sent by your server along with the certificate, so that a visitor’s browser doesn’t have to query the Let’s Encrypt OCSP servers to check that your certificate is still valid. In this regard, OCSP stapling should make your site’s availability better, not worse, in case of a Let’s Encrypt outage.

Svavar_Kjarrval · November 9, 2016, 9:55am

Unless the web server seeks the OCSP response when the LE OCSP servers are down. It happened once when all the LE OCSP servers suddenly went into maintenence. Some of the domains had no valid OCSP responses with the certificates and FireFox deemed them invalid for the rest of the maintenence.

tialaramex · November 9, 2016, 3:27pm

This is a misfeature in some server software, unfortunately including (at least by default) the Apache httpd.

What a good server should do is remember the last OCSP Good response it has, even when restarted, and provide that until it expires, meanwhile trying periodically to get a fresher Good response.

Ryan Sleevi wrote about this here: https://gist.github.com/sleevi/5efe9ef98961ecfb4da8

Osiris · November 9, 2016, 6:53pm

Standard revocation checking isn't working, but OCSP Must Staple is a big improvement. Should be the new standard way of revocation checking if you ask me.. But if there's an outage...

Armoured · November 10, 2016, 8:29am

@osiris could you please help me with this site registered under letsencrypt as i am having issue with it.thanks

Armoured · November 10, 2016, 8:30am

Taskmine.club that’s it

Osiris · November 10, 2016, 11:01am

For help with a specific problem, not related to this thread, you should start a new thread, including answering the question template when presented.

Armoured · November 11, 2016, 7:40am

Thank you very much am very grateful

BFeely · November 11, 2016, 11:31am

That would tell me that CAs should ensure their OCSP infrastructure has redundancy and that maintenance never happens on all machines at once.

system · December 11, 2016, 11:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
OCSP stapling advantages and disadvantages Issuance Tech	15	17792	June 20, 2017
OCSP responses inconsistent between different OCSP Servers Help	7	3704	November 30, 2016
Ending OCSP Support in 2025 - webserver configuration? Help	6	216	January 9, 2025
Robust OCSP Stapling with Apache httpd Server	1	4995	April 4, 2019
OCSP stapling doesn't reflect revoked certificate Help	18	1084	July 15, 2023

What if Let's Encrypt goes down? - OCSP Stapling

Related topics