cert deployment should not be finished if ocsp fetch failed with must_staple enabled #513

New Issue

adam · 2025-12-29T01:26:34+01:00

adam commented

2025-12-29 01:26:34 +01:00

Originally created by @bjacke on GitHub (Dec 4, 2020).

This requirest is related to issue #785 but it's not the same.

If OCSP_MUST_STAPLE is enabled and if the initial ocsp fetch (after a a fresh new cert was issued) was not successful, then dehydrated should continue trying to fetch a valid and matching ocsp response. I saw recently that it took 30min till the ocsp server had the ocsp status for a new cert. Only if the initial ocsp fetching could be done successfully, the cert deployment should continue.

Originally created by @bjacke on GitHub (Dec 4, 2020). This requirest is related to issue #785 but it's not the same. If OCSP_MUST_STAPLE is enabled and if the initial ocsp fetch (after a a fresh new cert was issued) was not successful, then dehydrated should continue trying to fetch a valid and matching ocsp response. I saw recently that it took 30min till the ocsp server had the ocsp status for a new cert. Only if the initial ocsp fetching could be done successfully, the cert deployment should continue.

adam added the Complicated label 2025-12-29 01:26:34 +01:00

adam referenced this issue

2025-12-29 01:29:40 +01:00

[PR #514] [CLOSED] Add ocsp_update hook #853

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#513