Over the last few days I've been encountering the following error
[lua] ssl_certificate.lua:260: set_response_cert(): auto-ssl: failed to set ocsp stapling for **xxx** - continuing anyway - failed to get ocsp response: failed to validate OCSP response (http://ocsp.int-x3.letsencrypt.org): OCSP response not successful (6: unauthorized), context: ssl_certificate_by_lua*, client: 37.233.4.76, server: 0.0.0.0:443
It looks like it's caused when a certificate expires and so we're unable to use OCSP stapling but I'm unsure why it is not renewed correctly in the first place.
nginx version: openresty/1.17.8.2
0.13.1-1 (installed) - /usr/local/lib/luarocks/rocks
lua-resty-http
0.15-0 (installed) - /usr/local/lib/luarocks/rocks
For now I'm able to resolve by doing the following
Does anyone have any guidance into what could be the issue?
Alternatively, would it be possible to disable OCSP stapling entirely?
Edit.
renew_check_interval
is also not set so it should have the default value of one day
If it helps anyone I ended up just writing a script which deletes certs from redis 3 days before they expire.
same issue here. I don't know why some domain renewals failed and others didn't.
anyway, thanks @ronaldgrn for the solution!
@ronaldgrn Im experiencing a similar issue with only a few domains not renewing, its very strange behaviour as it has been working perfectly for the last year.
Would like to add a similar script as a safety precaution. Would you mind explaining/sharing how your script deletes the certs by date in Redis?
Many Thanks
Hey @phil118 you can check out the following python script https://gist.github.com/ronaldgrn/f1a99fde2f380c7d94233466aa88d8fd
It deletes certs 3 days before they expire.
As a precaution, the script stops if it detects more than 25 expired or near-expired certs on a single run - you may want to edit that to suit your needs.
@ronaldgrn nice one! thanks for that. Im a complete novice at python so thats super helpful.
@ronaldgrn Thx a lot. I have the same problem. to solve this, just run your script in python 3 and restart openstrey.
I have created a projet to renew the domain. The same idea with @ronaldgrn, i try to write a script node.js which can restart openresty and renew the expiry domain at one time.
schedule.scheduleJob('5 0 * * *',{
resty-auto-ssl/dehydrated
to renew the domain with the token && add a flag restartOpenrestyThe issue with the renewing may be solved with https://github.com/auto-ssl/lua-resty-auto-ssl/issues/241#issuecomment-695777480
I had to delete the files in /etc/resty-auto-ssl/storage/file
as well to make it work.
Most helpful comment
Hey @phil118 you can check out the following python script https://gist.github.com/ronaldgrn/f1a99fde2f380c7d94233466aa88d8fd
It deletes certs 3 days before they expire.
As a precaution, the script stops if it detects more than 25 expired or near-expired certs on a single run - you may want to edit that to suit your needs.