Lua-resty-auto-ssl: OCSP response not successful (6: unauthorized)
Over the last few days I've been encountering the following error
[lua] ssl_certificate.lua:260: set_response_cert(): auto-ssl: failed to set ocsp stapling for **xxx** - continuing anyway - failed to get ocsp response: failed to validate OCSP response (http://ocsp.int-x3.letsencrypt.org): OCSP response not successful (6: unauthorized), context: ssl_certificate_by_lua*, client: 37.233.4.76, server: 0.0.0.0:443
It looks like it's caused when a certificate expires and so we're unable to use OCSP stapling but I'm unsure why it is not renewed correctly in the first place.
nginx version: openresty/1.17.8.2
0.13.1-1 (installed) - /usr/local/lib/luarocks/rocks
lua-resty-http
0.15-0 (installed) - /usr/local/lib/luarocks/rocks
For now I'm able to resolve by doing the following
- Deleting the cert in redis
- Deleting the local copy (/etc/resty-auto-ssl/letsencrypt/certs)
- restart openresty
Does anyone have any guidance into what could be the issue?
Alternatively, would it be possible to disable OCSP stapling entirely?
Edit.
renew_check_interval is also not set so it should have the default value of one day
ronaldgrn
All 8 comments
If it helps anyone I ended up just writing a script which deletes certs from redis 3 days before they expire.
ronaldgrn
on 26 Jul 2020
same issue here. I don't know why some domain renewals failed and others didn't.
anyway, thanks @ronaldgrn for the solution!
did
on 5 Aug 2020
@ronaldgrn Im experiencing a similar issue with only a few domains not renewing, its very strange behaviour as it has been working perfectly for the last year.
Would like to add a similar script as a safety precaution. Would you mind explaining/sharing how your script deletes the certs by date in Redis?
Many Thanks
phil118
on 28 Aug 2020
Hey @phil118 you can check out the following python script https://gist.github.com/ronaldgrn/f1a99fde2f380c7d94233466aa88d8fd
It deletes certs 3 days before they expire.
As a precaution, the script stops if it detects more than 25 expired or near-expired certs on a single run - you may want to edit that to suit your needs.
ronaldgrn
on 28 Aug 2020
@ronaldgrn nice one! thanks for that. Im a complete novice at python so thats super helpful.
phil118
on 1 Sep 2020
@ronaldgrn Thx a lot. I have the same problem. to solve this, just run your script in python 3 and restart openstrey.
I have created a projet to renew the domain. The same idea with @ronaldgrn, i try to write a script node.js which can restart openresty and renew the expiry domain at one time.
schedule.scheduleJob('5 0 * * *',{
- create an endpoint in openresty to get the token (exp: /getSecret )
- get expiry domain from redis
- use
resty-auto-ssl/dehydratedto renew the domain with the token && add a flag restartOpenresty - if flag then restart server
});
qfdk
on 8 Sep 2020
The issue with the renewing may be solved with https://github.com/auto-ssl/lua-resty-auto-ssl/issues/241#issuecomment-695777480
nunofernandes
on 20 Sep 2020
I had to delete the files in /etc/resty-auto-ssl/storage/file as well to make it work.
sahildeliwala
on 3 Jan 2021
Related issues
serathius
·
21Comments
jasonbouffard
·
6Comments
stackrainbow
·
20Comments
byrnedo
·
16Comments
discobean
·
8Comments
Most helpful comment
Hey @phil118 you can check out the following python script https://gist.github.com/ronaldgrn/f1a99fde2f380c7d94233466aa88d8fd
It deletes certs 3 days before they expire.
As a precaution, the script stops if it detects more than 25 expired or near-expired certs on a single run - you may want to edit that to suit your needs.