Forum OpenACS Q&A: Letsencrypt OCSP change could impact your instance

1: Letsencrypt OCSP change could impact your instance

Posted by Antonio Pisano on 06/23/25 11:06 AM

Today I faced a downtime accessing an older NaviServer installation (4.99.23) via https with certificates from Letsencrypt.

The symptoms where a signal 11 and a full restart whenever I would try to connect. Connecting via http was working as expected.

Errors would look something like:

[23/Jun/2025:00:03:30][282551.7f3ced519700][-driver:nsssl:0-] Warning: OCSP cache file does not exist: /usr/local/ns/logs/05C8F70D9CD2AA5B96254112FC688AF32AD4
[23/Jun/2025:00:03:30][282551.7f3ced519700][-driver:nsssl:0-] Notice: OCSP_FromAIA url <(null)> timeout -1

After too much pointless fiddling, I finally found that the solution was in [1]. A correlated issue was also posted in [2]. This is completely on me 😊

All the best

Antonio

[1] https://github.com/naviserver-project/naviserver/commit/01949859b5d8317bc3970d10b324fac2f280f235
[2] https://openacs.org/forums/message-view?message_id=8531168

2: Re: Letsencrypt OCSP change could impact your instance (response to 1)

Posted by Gustaf Neumann on 06/23/25 03:01 PM

This shows, reading the forums helps.

Deactivating OCSP in the configuration file is just a short run solution, I try to come up with something better. OCSP was introduced to improve the security ratings from sites like ssllabs, and was part of the sample configuration files of OpenACS included in the NaviServer versions 4.99.20 - 4.99.31/head (see e.g. [1,2].

In general, you should keep OCSP active when using non-letsencrypt certificates.

[1] https://sourceforge.net/p/naviserver/mailman/naviserver-devel/thread/AM0PR05MB6003DCDACCEE5A378E2F5A15FE110%40AM0PR05MB6003.eurprd05.prod.outlook.com/#msg36926639
[2] https://openacs.org/forums/message-view?message_id=5509678

3: Re: Letsencrypt OCSP change could impact your instance (response to 1)

Posted by Gustaf Neumann on 06/25/25 08:06 PM

Antonio,

i have updated the NaviServer 5 code to make the OCSP AIA handling more robust. One has to distinguish between the following cases.

- The certificate requires stapling (extension must staple)
- The certificate allows stapling
- The certificate does not allow stapling

It seems the problem you had was the second case, but where a NULL AIA URL was provided.

Please test if possible with OCSP and your certificate. If this still does not work, please mail the certificate to me. If it works, i'll backport the changes to the 4.99 branch to have also a working 4.99 release.

all the best
-g

4: Re: Letsencrypt OCSP change could impact your instance (response to 1)

Posted by Gustaf Neumann on 07/01/25 04:49 PM

Never mind, you don't have to check anymore.

On OpenACS.org, the certificate was today renewed. NaviServer 5 recognizes correctly, that stapling does not work anymore for this certificate, although stapling is activated.

[01/Jul/2025:03:08:14.515705][3395340.7f81c4841700][-driver:nsssl:0-] Notice: tls: SSL_cert_statusCB must staple 0, can staple 1
[01/Jul/2025:03:08:31.762022][3395340.7f81c4841700][-driver:nsssl:0-] Notice: tls: SSL_cert_statusCB must staple 0, can staple 1
[01/Jul/2025:03:08:31.762022][3395340.7f81c4841700][-driver:nsssl:0-] Notice: tls: SSL_cert_statusCB must staple 0, can staple 1
[01/Jul/2025:03:08:40.298242][3395340.7f81c4841700][-driver:nsssl:0-] Notice: tls: SSL_cert_statusCB must staple 0, can staple 0
[01/Jul/2025:03:10:07.378224][3395340.7f81c4841700][-driver:nsssl:0-] Notice: tls: SSL_cert_statusCB must staple 0, can staple 0
[01/Jul/2025:03:10:07.504070][3395340.7f81c4841700][-driver:nsssl:0-] Notice: tls: SSL_cert_statusCB must staple 0, can staple 0

Note, that a server might have multiple certificates (e.g. when mass virtual hosting is activated), so having stapling activated still makes sense for the other certificates.