Handle Let's Encrypt OCSP deprecation

[lukastribus]

Is your feature request related to a problem? Please describe.

OCSP is dead, it has slowly been dying for years now and it is coming to an end altogether sooner rather than later.

• Chrome disabled OCSP in 2012
• OCSP is optional for CAs since 2023, even Mozilla agreed in this ballot to retire OCSP
• Let's Encrypt is retiring OCSP completely within a few months; more specifically:
  • January 30, 2025
    • OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension
  • May 7, 2025
    • Prior to this date we will have added CRL URLs to certificates
    • On this date we will drop OCSP URLs from certificates
    • On this date all requests including the OCSP Must Staple extension will fail
  • August 6, 2025
    • On this date we will turn off our OCSP responders

Describe the solution you'd like

Verify what happens if a certificate does not have a OCSP URL (Let's Encrypt certificates from May 7th), or if OCSP responders are gone (LE from August 6th).

I would expect check_ssl_cert to not return CRITICAL or WARNING when Let's Encrypt removes OCSP URLs from the certificates, but handle it gracefully (missing OCSP URL should automatically disables OCSP check?).

This may already be the case, I do not know.

Describe alternatives you've considered

--ignore-ocsp may be used to disable OCSP checking manually, however doing this manually does not scale.

Additional context

Add any other context or screenshots about the feature request here.

[matteocorti]

Dear Lukas

I agree. The OCSP check should be optional. I will try to find some time to fix it.

[lukastribus]

I want to emphasize that I don't know if a change is even necessary; if a OCSP URL is present in the certificate, we should check the OCSP server by default, imho.

But if there is no OCSP URL in the certificate, we should not fail because of it.

[matteocorti]

You are right. The problem is that some CAs are removing the OCSP services too soon. The certificate still has the URL but this is now invalid.

[lukastribus]

For Let's Encrypt all certificates with OCSP URLs will be expired by the time the OCSP service is shutdown if I understand their blog post correctly, so for LE specifically this should not be an issue.

[matteocorti]

I run the complete test suite every day, and I notice that I get OCSP errors more frequently. One example is github.com with Sectigo. From time to time, the OCSP servers do not respond. Then the next day they are OK again. At ETH Zurich we used QuoVadis for hundreds of servers and every three or four weeks we had problems with OCSP.

I suspect that since OCSP is dying, a lot of CAs are caring less it is working or not ...

[matteocorti]

Anyway looking at the code if the OCSP URI is missing, the script should just output a verbose message

        if [ -z "${ELEMENT_ISSUER_URIS}" ]; then
            verboselog "Warning cannot find the CA Issuers in the certificate chain element ${el_number}: disabling OCSP checks on chain element ${el_number}"
            return
        fi

and continue with the next element in the chain.

I did not find a server without OCSP to test (it's working with self-signed certificates but these are handled differently).

I will keep the issue open and keep an eye open.

[matteocorti]

Seems that I am not the only one to look for a quick possibility to test: https://community.letsencrypt.org/t/how-to-get-cert-with-crl-not-ocsp/226151/3