Christophe C.

What can lead to "OCSP ERROR: OCSP response expired" ?

Discussion created by Christophe C. on Jul 26, 2016
Latest reply on Jul 26, 2016 by Ivan Ristić

Hi,

 

I would like to understand in which circumstances this error comes up when scanning a website:

"OCSP ERROR: OCSP response expired on <Day Mth DD HH:MM:SS TMZ YYYY>"

 

> How does SSL Labs go through this OCSP testing, exactly? (from what I've noticed with my tests with OpenSSL, whenever you send an OCSP request, you would either get a recent response or a new response - so valid in all cases, unless there is an issue with the OCSP responder, or maybe there's some caching somewhere affecting the response?)

 

> How would this get fixed? How do OCSP responses get renewed / updated?

 

Context in my case: The webserver was offline for some time. The OCSP response expired during that time. When the server eventually came back online, the SSL Labs server check was run about 30 minutes later and this error came up. The error does no longer show up at this time; not sure how this was resolved.

 

Other OCSP response validity questions:

 

When I manually send an OCSP request to that website with OpenSSL, it returns "This Update" as the date and time of that OCSP request and "Next Update" as 4 days later exactly.

> Where is that 4-day validity set? Is it on the webserver?

 

If I run the same request few minutes later I get that same saved response, with the same validity times. However if run it again the next day (even less than 24 hours afterwards), I get that OCSP response "renewed" (= validity starting from now until 4 days later).

> How long after the 1st OCSP response would subsequent ones be updated? Or where is this configured?

 

Let's suppose that computer A somewhere in Europe sends an OCSP requests to Server S, and computer B (say in Australia) sends the same request to S a minute later.

> Would both computers get the same OCSP response, with the same validities?

 

Thank you,

Christophe.

Outcomes