Date: Sat, 19 Jan 2019 00:58:13 +0100 From: Dave Cottlehuber <dch@skunkwerks.at> To: freebsd-questions@freebsd.org Subject: Re: certbot: OCSP check failed Message-ID: <1547855893.2361655.1638429920.0BB55387@webmail.messagingengine.com> In-Reply-To: <6ec8f257-3ca0-38ba-2e07-aaf8f835ad63@FreeBSD.org> References: <31b9ce5f-4134-ee49-47bf-10af7244d21e@ifdnrg.com> <6ec8f257-3ca0-38ba-2e07-aaf8f835ad63@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Jan 2019, at 01:23, Matthew Seaman wrote: > On 17/01/2019 18:05, Paul Macdonald via freebsd-questions wrote: > > i'm seeing this for all certs on several boxes ( that are online!) > > > > mostly posting in case someone knows who to notify/where to check > > (@Matthew?) > > > > OCSP check failed for /usr/local/etc/letsencrypt/live/<domain>/cert.pem > > (are we offline?) > > OCSP checking relies on making a web query to one of the CA's servers. > It could be that site was temporarily offline or somehow inaccessible to > you. That's where I'd start looking to debug this. OCSP is (at least in my circle of acquaintances) notoriously flakey in providing updates. I've switched to twice weekly updates with a wrapper around the checks to re-try if upstream cert provider is incapable of serving us. You can use this to check your OCSP validity: curl -4sSLo /dev/null --cert-status https://example.org/ I have found https://github.com/h2o/h2o/blob/master/share/h2o/fetch-ocsp-response (www/h2o is in ports) very useful to handle the fetching, it may suit your needs if your current tools do not. A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1547855893.2361655.1638429920.0BB55387>