Ocsp response error unauthorized biography

An error occurred during a connection to The OCSP server has refused this request as unauthorized.

If the local sysadmin/user can configured his OCSP client to trust a "default" OCSP responder, then NSS will honor OCSP responses from that responder.

If the certificate is expired and the security slider is set to "Very High" then an "UNAUTHORIZED" response from the OCSP server is treated as a hard failure.

The most common reason for Unauthorized responses tends to be improperly-formatted requests.

I am trying to setup an https server, only for communication within a local network.

If the certificate is expired and the security slider is set to "Very High" then an "UNAUTHORIZED" response from the OCSP server is treated as a hard failure....

Responder Error: unauthorized (6)

mrtux1

Quite often I get OCSP errors directly after issuing a new certiticate.

The last time this happened was on for the certificate https://crt.sh/?id=2101378294.

The OCSP-client of the OpenSSL-tool returned:

after being invoked with:

I run the OCSP-client three times in a row on a failure with a delay of 60 and 90 seconds and usually all three requests fail if the first already failed.

After a longer time, the requests work.

1 Like

Phil2

Hi @mrtux,

Can you define what you mean by “after a longer time”?

I see that your certificate does not have the OCSP must-staple extension which means that you shouldn’t need to immediately check OCSP.

1 Like

Phil4

@tdelmas,

I mistyped, the certificate does not have must-staple.

1 Like

mrtux5

It doesn’t matter whether the certificate has must-staple or not.

As soon as I use the certificate in production my server will ask the OCSP server for an OSCP response for OCSP stap