certbot: OCSP check failed

Matthew Seaman matthew at FreeBSD.org
Fri Jan 18 00:23:07 UTC 2019

On 17/01/2019 18:05, Paul Macdonald via freebsd-questions wrote:
> i'm seeing this for all certs on several boxes ( that are online!)
> mostly posting in case someone knows who to notify/where to check
> (@Matthew?)
> OCSP check failed for /usr/local/etc/letsencrypt/live/<domain>/cert.pem
> (are we offline?)

OCSP checking relies on making a web query to one of the CA's servers.
It could be that site was temporarily offline or somehow inaccessible to
you.  That's where I'd start looking to debug this.

For LetsEncrypt the OCSP site is:

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

as seen in the output of

   % openssl x509 -text -noout -in cert.pem



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20190118/fcb17612/attachment.sig>

More information about the freebsd-questions mailing list