certbot: OCSP check failed

Dave Cottlehuber dch at skunkwerks.at
Fri Jan 18 23:58:16 UTC 2019

On Fri, 18 Jan 2019, at 01:23, Matthew Seaman wrote:
> On 17/01/2019 18:05, Paul Macdonald via freebsd-questions wrote:
> > i'm seeing this for all certs on several boxes ( that are online!)
> > 
> > mostly posting in case someone knows who to notify/where to check
> > (@Matthew?)
> > 
> > OCSP check failed for /usr/local/etc/letsencrypt/live/<domain>/cert.pem
> > (are we offline?)
> OCSP checking relies on making a web query to one of the CA's servers.
> It could be that site was temporarily offline or somehow inaccessible to
> you.  That's where I'd start looking to debug this.

OCSP is (at least in my circle of acquaintances) notoriously flakey in
providing updates.

I've switched to twice weekly updates with a wrapper around the
checks to re-try if upstream cert provider is incapable of serving us.

You can use this to check your OCSP validity:

      curl -4sSLo /dev/null --cert-status https://example.org/

I have found https://github.com/h2o/h2o/blob/master/share/h2o/fetch-ocsp-response
(www/h2o is in ports) very useful to handle the fetching, it may suit your needs
if your current tools do not.


More information about the freebsd-questions mailing list