lua-resty-auto-ssl icon indicating copy to clipboard operation
lua-resty-auto-ssl copied to clipboard

Published 20 hours ago verified publisher icon auto-ssl

OCSP response not successful (6: unauthorized)

Open ronaldgrn opened this issue 4 years ago • 9 comments

Over the last few days I've been encountering the following error

[lua] ssl_certificate.lua:260: set_response_cert(): auto-ssl: failed to set ocsp stapling for **xxx** - continuing anyway - failed to get ocsp response: failed to validate OCSP response (http://ocsp.int-x3.letsencrypt.org): OCSP response not successful (6: unauthorized), context: ssl_certificate_by_lua*, client: 37.233.4.76, server: 0.0.0.0:443

It looks like it's caused when a certificate expires and so we're unable to use OCSP stapling but I'm unsure why it is not renewed correctly in the first place.

nginx version: openresty/1.17.8.2

lua-resty-auto-ssl
   0.13.1-1 (installed) - /usr/local/lib/luarocks/rocks

lua-resty-http
   0.15-0 (installed) - /usr/local/lib/luarocks/rocks

For now I'm able to resolve by doing the following

  1. Deleting the cert in redis
  2. Deleting the local copy (/etc/resty-auto-ssl/letsencrypt/certs)
  3. restart openresty

Does anyone have any guidance into what could be the issue? Alternatively, would it be possible to disable OCSP stapling entirely?

Edit. renew_check_interval is also not set so it should have the default value of one day

ronaldgrn avatar Jul 22 '20 10:07 ronaldgrn

If it helps anyone I ended up just writing a script which deletes certs from redis 3 days before they expire.

ronaldgrn avatar Jul 26 '20 12:07 ronaldgrn

same issue here. I don't know why some domain renewals failed and others didn't. anyway, thanks @ronaldgrn for the solution!

did avatar Aug 05 '20 20:08 did

@ronaldgrn Im experiencing a similar issue with only a few domains not renewing, its very strange behaviour as it has been working perfectly for the last year.

Would like to add a similar script as a safety precaution. Would you mind explaining/sharing how your script deletes the certs by date in Redis?

Many Thanks

phil118 avatar Aug 28 '20 15:08 phil118

Hey @phil118 you can check out the following python script https://gist.github.com/ronaldgrn/f1a99fde2f380c7d94233466aa88d8fd

It deletes certs 3 days before they expire. As a precaution, the script stops if it detects more than 25 expired or near-expired certs on a single run - you may want to edit that to suit your needs.

ronaldgrn avatar Aug 28 '20 16:08 ronaldgrn

@ronaldgrn nice one! thanks for that. Im a complete novice at python so thats super helpful.

phil118 avatar Sep 01 '20 10:09 phil118

@ronaldgrn Thx a lot. I have the same problem. to solve this, just run your script in python 3 and restart openstrey. I have created a projet to renew the domain. The same idea with @ronaldgrn, i try to write a script node.js which can restart openresty and renew the expiry domain at one time.

schedule.scheduleJob('5 0 * * *',{

  • create an endpoint in openresty to get the token (exp: /getSecret )
  • get expiry domain from redis
  • use resty-auto-ssl/dehydrated to renew the domain with the token && add a flag restartOpenresty
  • if flag then restart server });

qfdk avatar Sep 08 '20 20:09 qfdk

The issue with the renewing may be solved with https://github.com/auto-ssl/lua-resty-auto-ssl/issues/241#issuecomment-695777480

nunofernandes avatar Sep 20 '20 11:09 nunofernandes

I had to delete the files in /etc/resty-auto-ssl/storage/file as well to make it work.

sahildeliwala avatar Jan 03 '21 08:01 sahildeliwala