OCSP check failed for /xxx/cert1.pem (are we offline?)

现象

certbot renew时出现类似的错误:
OCSP check failed for /xxx/cert1.pem (are we offline?)

原因

经搜索原因:原因是 ocsp.int-x3.letsencrypt.org 的 cname 域名 a771.dscq.akamai.net 受到了干扰。
可以采用本地修改hosts的方案进行临时处理,在/etc/hosts中添加

23.32.3.72     ocsp.int-x3.letsencrypt.org

验证

# openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/xxx/chain1.pem -cert /etc/letsencrypt/archive/xxx/cert1.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/archive/xxx/chain1.pem -verify_other /etc/letsencrypt/archive/xxx/chain1.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org
Response verify OK
/etc/letsencrypt/archive/www.itranscloud.com/cert1.pem: good
    This Update: May 14 10:00:00 2020 GMT
    Next Update: May 21 10:00:00 2020 GMT

添加后,在重试 certbot renew,ok,正常

ref:https://holmesian.org/letsencrypt-ocsp-fix

发表评论

电子邮件地址不会被公开。 必填项已用*标注