Does OSCP stapling involve calls to the cert authority API?

On my passive Caddy node, I’m seeing lots of OCSP errors, I guess because it can’t validate due to no pingback route. Are constantly-failing OCSP updates going to harm my API rate limit?

2017/05/04 14:42:00 [INFO][] acme: Obtaining bundled SAN certificate
2017/05/04 14:42:01 [INFO][] acme: Could not find solver for: dns-01
2017/05/04 14:42:01 [INFO][] acme: Trying to solve TLS-SNI-01

Also, Caddy is constantly trying to staple certificates that I have supplied, is there any way of stopping that?

2017/05/04 14:42:03 [WARNING] Stapling OCSP: no OCSP stapling for [*]: ocsp: error from server: unauthorized
2017/05/04 14:42:03 [INFO] Successfully loaded TLS assets from /opt/caddy/ssl/static/ and /opt/caddy/ssl/static/

Caddy staples OCSP to every certificate that has the OCSPServer field set. OCSP is checked every hour.

Are you using Let’s Encrypt certs (that you’ve supplied)? What’s your certificates’ OCSP servers?

So the certificate I’m currently testing out is the one from our main site at

I can’t see any OCSPServer field on it, but my CaddyServer still seems to be attempting to staple it.

2017/05/04 11:31:15 [WARNING] Stapling OCSP: no OCSP stapling for [*]: ocsp: error from server: unauthorized

It says there is no stapling, but also that there was a specific “unauthorized” error from some unspecified server. I can’t tell which it is.

Your certificate has an OCSP responder configured:

For some reason your CA’s responder is returning “unauthorized” for your cert.

Aah, I didn’t spot that, thanks. I’m still finding out about OCSP :slight_smile: I’ll have to find out why that’s failing. Maybe it’s something they can resolve.

They say it is expected behaviour on their website, now I just need to find out why ours can’t be validated, even if it does have the value set.

From the Symantec KB:

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.