lua-resty-auto-ssl icon indicating copy to clipboard operation
lua-resty-auto-ssl copied to clipboard
verified publisher icon auto-ssl

Failed to set ocsp stapling

Open EtreRe opened this issue 7 years ago • 10 comments

Hello

We have domain with expired certificat that are not renew with this error in the log

2019/02/15 12:07:32 [error] 18188#18188: *29843 [lua] ssl_certificate.lua:255: set_response_cert(): auto-ssl: failed to set ocsp stapling for insecticide-spray.com - continuing anyway - failed to get ocsp response: failed to validate OCSP response (http://ocsp.int-x3.letsencrypt.org): OCSP_check_validity() failed, context: ssl_certificate_by_lua*, client: 92.184.96.115, server: 0.0.0.0:443

The only solution to force the renew is to delete the directory of this domain in the certs directory and to restart openresty.

Do you have a solution ?

Thank you

EtreRe avatar Feb 15 '19 11:02 EtreRe

One of our customers had this same problem two days ago. After restarting openresty the issue went away.

fjros avatar Feb 15 '19 12:02 fjros

Unfortunately a simple restart doesn't change anything for us

EtreRe avatar Feb 15 '19 12:02 EtreRe

@EtreRe did you end up finding a solution here? I believe we are experiencing a similar problem.

jdppettit avatar Apr 09 '19 20:04 jdppettit

We are also experiencing the same issue.

velocity-360 avatar May 26 '19 20:05 velocity-360

I have same problem on my server, restarting is resolving, but it's happening even when I'm not awake. haha :/

guiwestrup avatar Aug 29 '19 11:08 guiwestrup

Did anybody found a solution for this ? I have the same problem and after restarting openresty the issue is still there.

alisei avatar Nov 20 '19 10:11 alisei

Anyone had any luck with this as we have the same issue?

Been told by the Lets Encrypt community that

"The OCSP check doesn’t work if there are expired certificatets (this is new). So to fix change your client usage to skip that OCSP-check"

How would we go about this skipping of OCSP-check?

phil118 avatar Nov 21 '19 19:11 phil118

One post that mentions what @phil118 said is this one https://community.letsencrypt.org/t/failed-to-get-ocsp-stapling-no-certificate/106917

fititnt avatar May 02 '20 03:05 fititnt

TL;DR:

Steps to workaround on this issue

  1. For all certificates that expired and still on your storage, delete then.
  2. Force openresty re-read that there is not certificate to use. One way to do this is restart the openresty.
  3. Test if is working.

Here what worked for me:

In the very specific case that certificates got expired and they still on the memory, this error may occur. On my case, I was using clusterized option the drafted storage adapter New Consul storage adapter for lua-resty-auto-ssl #203 but I suspect that this may happen to other drivers.

I can confirm that this only happened to certificates that expired. Just found this bug by accident after fixing blacklisted sub domains. So is very likely that just an small portion of the users may be affected by this.

What could be done to let lua-resty-auto-ssl automatically work around this

Since this seems to be an default behavior, the lua-resty-auto-ssl ideally should check if an certificate already expired and, if yes, ignore it.

Alternative: document the issue

One quicker alternative is document this specific bug.

If the potential fix could in worst case scenario delete valid certificates, the very specific case when this happens may not worth to fix and require human intervention. One case could be make the error message more clear, like "did this certificate expired?"

fititnt avatar May 02 '20 04:05 fititnt