certbot: OCSP check failed
Dave Cottlehuber
dch at skunkwerks.at
Fri Jan 18 23:58:16 UTC 2019
On Fri, 18 Jan 2019, at 01:23, Matthew Seaman wrote:
> On 17/01/2019 18:05, Paul Macdonald via freebsd-questions wrote:
> > i'm seeing this for all certs on several boxes ( that are online!)
> >
> > mostly posting in case someone knows who to notify/where to check
> > (@Matthew?)
> >
> > OCSP check failed for /usr/local/etc/letsencrypt/live/<domain>/cert.pem
> > (are we offline?)
>
> OCSP checking relies on making a web query to one of the CA's servers.
> It could be that site was temporarily offline or somehow inaccessible to
> you. That's where I'd start looking to debug this.
OCSP is (at least in my circle of acquaintances) notoriously flakey in
providing updates.
I've switched to twice weekly updates with a wrapper around the
checks to re-try if upstream cert provider is incapable of serving us.
You can use this to check your OCSP validity:
curl -4sSLo /dev/null --cert-status https://example.org/
I have found https://github.com/h2o/h2o/blob/master/share/h2o/fetch-ocsp-response
(www/h2o is in ports) very useful to handle the fetching, it may suit your needs
if your current tools do not.
A+
Dave
More information about the freebsd-questions
mailing list