No OSCP stapling for LE certificates

I’m seeing this in my logs for some of the certificates I have requested from LetsEncrypt

2017/03/10 11:51:51 [WARNING] Stapling OCSP: no OCSP stapling for []: ocsp: error from server: unauthorized

Oddly, I did successfully get staples for a bunch of other certificates requested at about the same time:

This is probably because LE issues certificates before their OCSP response is ready. :frowning2:

It’s only a matter of a few seconds (usually, although that can’t be guaranteed) and I think I heard they want to fix that soon, so it might start going away. There’s a TODO in the Caddy code to handle this situation, but frankly I think this is a bug in the CAs, and handling it properly makes things complicated, and adds seconds before your site can be served.

Anyway, the next time OCSP staples are fetched (a few hours), it should be good to go, unless their CDN cached the error response…

Aah, that makes sense. I did find your chat with with LE about it after I posted the question. I’ll just ignore them for now.

I’m in the process of working out which of the process log messages I need to monitor for as warnings of Things Going Bad.

Basically any ACME errors… those are cert obtain and renewal errors. Or errors when reloading.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.