
Let's Encrypt cert issuance is down - seszett
http://letsencrypt.status.io/?1
======
avian
Also their OCSP server seems to be now having intermittent problems, making
pages unreachable.

In Firefox you need to go to about:config and disable
"security.ssl.enable_ocsp_stapling" and "security.OCSP.enabled" to get
through.

~~~
tialaramex
What _should_ happen with stapling is that the server would staple the last
valid OCSP response they have, since OCSP responses last several days, and the
outage was only a few hours, this would have been fine.

But alas some of the most popular HTTP servers (notably Apache) managed to do
the OCSP equivalent of getting all the superglue on your hands and none on the
thing to be glued. Their behaviour defaults to

* Remember invalid OCSP answers if we see them * Pass on invalid answers to a client even though we know that will make things worse * If we don't get a new answer, make up our own errors (these will of course be invalid too) in preference to remembering a valid answer from before

I think if I paid somebody to deliberately implement OCSP stapling as badly as
possible for some sort of joke, they could not surpass what Apache did
apparently as a serious attempt at implementation...

