Not sure what your sporadic question means but i called it randomly by reason - i don’t see how to reproduce it and i cannot really predict when it happens…i guess between one an three days?
I see it too. Is there anything in the logs (process log, enabled with -log)? OCSP staples are checked hourly for updates, and they are updated if they are about halfway through their validity period. For Let’s Encrypt certs, I believe they are valid for about 7 days, so about 3 and a half days through, OCSP is updated. How long do these errors last? Log output would be useful, for sure, also, can you please look at $HOME/.caddy/ocsp and attach the latest relevant staple file(s)?
Hmm the thing is i have some partypeople who like to access the sites so the last times i restarted caddy to make it working again and didn’t wait 'til it may be working again… .
This time actually a browser refresh worked for me even before you confirmed the problem.
Thanks for the file. I’ll take a look when I have a chance.
Chrome doesn’t show errors for OCSP stuff (unless Must Staple is enabled, I think) - Firefox always does, though (which is good). This is the first and only report I’ve had of this kind of thing. Refreshing the page in the browser hasn’t helped for me, the error is still there. Try to leave it like that for a few minutes while I look into it.
Based on following the code path, it probably means the serial number in the OCSP response doesn’t match the serial number on the certificate being presented. Or it could be any of these other conditions it checks. The OCSP response you sent me has this decoding:
It looks like the serial number on the OCSP staple is different than the serial number of the cert being served. One thing I am suspicious of (as a possible bug) is that you have one site configured manually to use a certificate from LE that has all your sites’ names in it, plus some of those sites in your Caddyfile configured with automatic HTTPS, where Caddy manages the certificates. It’s possible this overlap is causing some confusion. Could you verify for me by removing the manually-specified cert from your Caddyfile and letting Caddy manage all the certificates, then restart your server? (Also clear the .caddy/ocsp folder just in case.) If the error goes away for at least 1 week, that probably confirms my suspicions.
I’ve identified a bug in the OCSP maintenance routine, where it does not very well handle overlapping certificates. (It’s a bit of an odd case, granted.)
@tchncs I’ve pushed a fix to a branch and am currently using it to run some of my sites. So far so good. Would you please build it on this branch and see how it works for you? https://github.com/mholt/caddy/pull/1821 And then report back, of course.