Date: Sat, 19 Jan 2019 00:58:13 +0100 From: Dave Cottlehuber <dch@skunkwerks.at> To: freebsd-questions@freebsd.org Subject: Re: certbot: OCSP check failed Message-ID: <1547855893.2361655.1638429920.0BB55387@webmail.messagingengine.com> In-Reply-To: <6ec8f257-3ca0-38ba-2e07-aaf8f835ad63@FreeBSD.org> References: <31b9ce5f-4134-ee49-47bf-10af7244d21e@ifdnrg.com> <6ec8f257-3ca0-38ba-2e07-aaf8f835ad63@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Jan 2019, at 01:23, Matthew Seaman wrote:
> On 17/01/2019 18:05, Paul Macdonald via freebsd-questions wrote:
> > i'm seeing this for all certs on several boxes ( that are online!)
> >
> > mostly posting in case someone knows who to notify/where to check
> > (@Matthew?)
> >
> > OCSP check failed for /usr/local/etc/letsencrypt/live/<domain>/cert.pem
> > (are we offline?)
>
> OCSP checking relies on making a web query to one of the CA's servers.
> It could be that site was temporarily offline or somehow inaccessible to
> you. That's where I'd start looking to debug this.
OCSP is (at least in my circle of acquaintances) notoriously flakey in
providing updates.
I've switched to twice weekly updates with a wrapper around the
checks to re-try if upstream cert provider is incapable of serving us.
You can use this to check your OCSP validity:
curl -4sSLo /dev/null --cert-status https://example.org/
I have found https://github.com/h2o/h2o/blob/master/share/h2o/fetch-ocsp-response
(www/h2o is in ports) very useful to handle the fetching, it may suit your needs
if your current tools do not.
A+
Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1547855893.2361655.1638429920.0BB55387>