Failed to set ocsp stapling

[EtreRe]

Hello

We have domain with expired certificat that are not renew with this error in the log

2019/02/15 12:07:32 [error] 18188#18188: *29843 [lua] ssl_certificate.lua:255: set_response_cert(): auto-ssl: failed to set ocsp stapling for insecticide-spray.com - continuing anyway - failed to get ocsp response: failed to validate OCSP response (http://ocsp.int-x3.letsencrypt.org): OCSP_check_validity() failed, context: ssl_certificate_by_lua*, client: 92.184.96.115, server: 0.0.0.0:443

The only solution to force the renew is to delete the directory of this domain in the certs directory and to restart openresty.

Do you have a solution ?

Thank you

[fjros]

One of our customers had this same problem two days ago. After restarting openresty the issue went away.

[EtreRe]

Unfortunately a simple restart doesn't change anything for us

[jdppettit]

@EtreRe did you end up finding a solution here? I believe we are experiencing a similar problem.

[velocity-360]

We are also experiencing the same issue.

[guiwestrup]

I have same problem on my server, restarting is resolving, but it's happening even when I'm not awake.
haha :/

[alisei]

Did anybody found a solution for this ? I have the same problem and after restarting openresty the issue is still there.

[phil118]

Anyone had any luck with this as we have the same issue?

Been told by the Lets Encrypt community that

"The OCSP check doesn’t work if there are expired certificatets (this is new).
So to fix change your client usage to skip that OCSP-check"

How would we go about this skipping of OCSP-check?

[fititnt]

One post that mentions what @phil118 said is this one https://community.letsencrypt.org/t/failed-to-get-ocsp-stapling-no-certificate/106917

[fititnt]

TL;DR:

Steps to workaround on this issue

1. For all certificates that expired and still on your storage, delete then.
2. Force openresty re-read that there is not certificate to use. One way to do this is restart the openresty.
3. Test if is working.

---

Here what worked for me:

In the very specific case that certificates got expired and they still on the memory, this error may occur. On my case, I was using clusterized option the drafted storage adapter New Consul storage adapter for lua-resty-auto-ssl #203 but I suspect that this may happen to other drivers.

I can confirm that this only happened to certificates that expired. Just found this bug by accident after fixing blacklisted sub domains. So is very likely that just an small portion of the users may be affected by this.

What could be done to let lua-resty-auto-ssl automatically work around this

Since this seems to be an default behavior, the lua-resty-auto-ssl ideally should check if an certificate already expired and, if yes, ignore it.

Alternative: document the issue

One quicker alternative is document this specific bug.

If the potential fix could in worst case scenario delete valid certificates, the very specific case when this happens may not worth to fix and require human intervention. One case could be make the error message more clear, like "did this certificate expired?"

[jordanade]

Would love to see some kind of automatic handling of this situation.