Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's the typical validity period for OCSP responses with Let's Encrypt? Shouldn't the stapled responses continue working for at least a couple hours even after Let's Encrypt goes down?


1 week, so most servers likely won't be affected unless the outage goes on for a really long time.


Not sure how this works.

I have OCSP stapling turned on in Apache and Firefox wouldn't load my page when Let's Encrypt OCSP servers went down.

My monitoring shows that last stapled response had 4 days of validity left. So it seems that Apache immediately threw away cached OCSP responses.


Yeah, seems like Apache handles OCSP server outages pretty poorly. See: https://news.ycombinator.com/item?id=14375334


For what it's worth, Caddy is the only server that will locally cache the staples (and manage them) automatically. In other words, Caddy sites were not affected by this OCSP downtime.


While we're on the topic: https://github.com/mholt/caddy/issues/1680




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: