auto-ssl / lua-resty-auto-ssl

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let's Encrypt.
MIT License
1.94k stars 182 forks source link

Failed to set ocsp stapling #168

Open EtreRe opened 5 years ago

EtreRe commented 5 years ago

Hello

We have domain with expired certificat that are not renew with this error in the log

2019/02/15 12:07:32 [error] 18188#18188: *29843 [lua] ssl_certificate.lua:255: set_response_cert(): auto-ssl: failed to set ocsp stapling for insecticide-spray.com - continuing anyway - failed to get ocsp response: failed to validate OCSP response (http://ocsp.int-x3.letsencrypt.org): OCSP_check_validity() failed, context: ssl_certificate_by_lua*, client: 92.184.96.115, server: 0.0.0.0:443

The only solution to force the renew is to delete the directory of this domain in the certs directory and to restart openresty.

Do you have a solution ?

Thank you

fjros commented 5 years ago

One of our customers had this same problem two days ago. After restarting openresty the issue went away.

EtreRe commented 5 years ago

Unfortunately a simple restart doesn't change anything for us

jdppettit commented 5 years ago

@EtreRe did you end up finding a solution here? I believe we are experiencing a similar problem.

velocity-360 commented 5 years ago

We are also experiencing the same issue.

guiwestrup commented 5 years ago

I have same problem on my server, restarting is resolving, but it's happening even when I'm not awake. haha :/

alisei commented 4 years ago

Did anybody found a solution for this ? I have the same problem and after restarting openresty the issue is still there.

phil118 commented 4 years ago

Anyone had any luck with this as we have the same issue?

Been told by the Lets Encrypt community that

"The OCSP check doesn’t work if there are expired certificatets (this is new). So to fix change your client usage to skip that OCSP-check"

How would we go about this skipping of OCSP-check?

fititnt commented 4 years ago

One post that mentions what @phil118 said is this one https://community.letsencrypt.org/t/failed-to-get-ocsp-stapling-no-certificate/106917

fititnt commented 4 years ago

TL;DR:

Steps to workaround on this issue

  1. For all certificates that expired and still on your storage, delete then.
  2. Force openresty re-read that there is not certificate to use. One way to do this is restart the openresty.
  3. Test if is working.

Here what worked for me:

In the very specific case that certificates got expired and they still on the memory, this error may occur. On my case, I was using clusterized option the drafted storage adapter New Consul storage adapter for lua-resty-auto-ssl #203 but I suspect that this may happen to other drivers.

I can confirm that this only happened to certificates that expired. Just found this bug by accident after fixing blacklisted sub domains. So is very likely that just an small portion of the users may be affected by this.

What could be done to let lua-resty-auto-ssl automatically work around this

Since this seems to be an default behavior, the lua-resty-auto-ssl ideally should check if an certificate already expired and, if yes, ignore it.

Alternative: document the issue

One quicker alternative is document this specific bug.

If the potential fix could in worst case scenario delete valid certificates, the very specific case when this happens may not worth to fix and require human intervention. One case could be make the error message more clear, like "did this certificate expired?"

jordanade commented 3 months ago

Would love to see some kind of automatic handling of this situation.