bogous ocsp response not updated - Githubissues

dehydrated-io / dehydrated

letsencrypt/acme client implemented as a shell-script – just add water

https://dehydrated.io

MIT License

5.97k stars 717 forks source link

bogous ocsp response not updated #785

Closed bjacke closed 3 years ago

bjacke commented 3 years ago

currently letsencrypt has an issue to deliver the correct oscp response after a certificate was issued. dehydrated returns in such cases:

Updating OCSP stapling file OCSP single response: Certificate ID does not match any certificate or issuer.

if you run dehydrated after that again it does not see, that the ocsp resonse is invalid and should be updated:

OCSP stapling file is still valid (skipping update)

It shoud see that the ocsp response does not match the current certificate and try to fetch a valid resonse instead.

bjacke commented 3 years ago

sorry, it turned out that this was a haproxy ocsp problem here, dehydrated is actually doing everything right here and checks that the ocsp response is the right one.