We're seeing some errors in the past few days similar to this one, in our nginx error logs:
/var/log/nginx/error.log.2.gz:2017/01/30 16:11:46 [crit] 13114#13114: *139338 SSL_do_handshake() failed (SSL: error:14094459:SSL routines:SSL3_READ_BYTES:tlsv1 bad certificate status response:SSL alert number 113) while SSL handshaking, client: X.X.X.X, server: 0.0.0.0:443
We're using Let's Encrypt for this certificate. We can't reproduce this problem ourselves, so far we haven't been able to get any information about what might be causing this from the client side.
RFC 6066 says that this is related to OSCP:
Clients requesting an OCSP response and receiving an OCSP response in
a "CertificateStatus" message MUST check the OCSP response and abort
the handshake if the response is not satisfactory with
bad_certificate_status_response(113) alert. This alert is always
fatal.
We have this in our nginx config:
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
The domain gets an A+ from SSL Labs, and we can't reproduce this ourselves. What could cause this error?
Edit: For the 3 times this has happened in the last few days, only one has left an entry for its IP address in the access log:
/var/log/nginx/access.log:X.X.X.X - - [01/Feb/2017:12:12:51 -0500] "GET /images/foo/bar.png HTTP/1.1" 200 6174 "-" "Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2639 Mobile Safari/537.35+"
Edit 2: This is the output of openssl s_client -connect <address>:<port> -showcerts -status:
$ openssl s_client -connect foo.bar.com:443 -showcerts -status
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Feb 2 02:49:00 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 0320C25EEBD8FE0BBC3678CC437E182E6D82
Cert Status: good
This Update: Feb 2 02:00:00 2017 GMT
Next Update: Feb 9 02:00:00 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
6b:10:31:84:c6:ec:32:2f:60:b2:5e:a9:a9:af:96:09:0d:53:
7d:1d:9d:25:4e:2a:c2:46:72:51:57:ae:62:d0:6f:b8:ae:0c:
50:d1:6f:f1:84:1f:8b:c8:fb:ed:08:8b:2f:8f:9d:d4:39:31:
dc:6c:f5:99:27:d1:39:cb:f6:e8:c0:db:5e:99:e8:df:74:96:
79:5a:19:ae:b7:84:bc:e2:ff:66:da:1d:dc:ad:d5:90:af:d7:
30:83:28:65:fa:12:0e:46:5d:b4:4d:e0:a2:b8:75:3c:f9:15:
9e:b3:12:28:34:01:0c:53:05:ee:2a:26:d4:81:fb:9c:62:9b:
d6:43:15:ab:a1:cb:f7:ca:e5:6b:4b:7d:79:dd:72:39:93:1e:
3f:e7:74:70:c5:de:79:27:db:79:bf:16:c8:ea:c4:a0:c7:d8:
f1:5c:91:61:dd:4f:67:65:2f:4d:eb:76:8e:9d:ff:99:32:3d:
41:7d:35:e9:25:5b:c1:c6:b3:30:c4:8c:9f:56:8b:86:65:4f:
16:5f:b2:84:d3:f5:24:d9:9e:4f:b2:57:2a:e0:ee:67:01:e8:
72:1b:ad:fd:c8:fd:a9:d5:7c:a4:bb:aa:be:96:22:83:c7:d5:
36:82:51:27:f0:9f:00:9b:51:63:6c:39:02:29:dd:cc:7b:a9:
62:7a:03:ee
======================================
---
Certificate chain
0 s:/CN=foo.bar.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFAjCCA+qgAwIBAgISAyDCXuvY/gu8NnjMQ34YLm2CMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMDIwMTUwMDBaFw0x
NzA1MDMwMTUwMDBaMBoxGDAWBgNVBAMTD2FwcC5nZXRtYXBsZS5jYTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALc4sKh6QmYPj78RZHBv07OCH0dPLNAj
PGRUoIMfKInZnKw3ue88PHTIVxxLeUF7c+yWrEtR2LF9BesO7XWpz9jdGXmOmHyj
KV/ThDtOvglO7c2foucATuziWcm/L/12ydPhJ3rHjHagXGrghEVxJSQwpLmgboAx
LzQup9A7HVrh/fafmnCkEZVXm+HQxIFfsLBS0Cg4VRecstyeSduK/P19XxS/DJDx
Rn3Ci09WRxfw2/gerDp8N4sAV1R7k7aI+j+mOWBpfOiGxyXKDErm9ZpULeahGo2Q
AbwkZQTlnPlVzd2DeNLwPvL9PVzZpr+Xdn+mmyZZERQZv8A5zIRqfhMCAwEAAaOC
AhAwggIMMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUUN66DA00cIF4jJJ6nfpLy8Gg
lvYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEE
ZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wGgYDVR0RBBMwEYIPYXBwLmdldG1hcGxlLmNhMIH+BgNVHSAEgfYwgfMw
CAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0
aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRp
ZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQ
b2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9y
eS8wDQYJKoZIhvcNAQELBQADggEBAAZB906DvRm88EojJtMPR4j8JaqS9tMjIrR7
lJz0o+y2CS8IVW3hGStlOc6lnxar0w9K6TO5OJXPVF1oaqZhtQuOTgxFPL/KObcd
SIVpKwGNK83NwHSHhu/KrOQBUuTFCkEpH2rEgCDzvKLYwruWD1I3yXstdvmrZY0z
LgrUWSq9Oy/1OK/r/W+t3Igr6uv+PXQPNPz7/Wf6h52h60JnbmnwJjQYhkoGbFKI
ZLjsDnwKMvsZqw6ya9NscebsQAwo07/DTlKuY4Gvo+vBmhVxliBjvs5TkXMpWGr+
E1qIzL+vYDborgOFwPBiDW1cpqrNCf6RdPYCbcmiq5YpHd6qD/0=
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.bar.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 4125 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 4F251FC1206A7455B45ABB58137F8EBFE0E23980C8C5FA2185F849AC92E99E39
Session-ID-ctx:
Master-Key: 0C7B5BA714DAFA5791BA956DBC4BD642B6CABA21CB6622172B65AC3BACB063D910F38DA1D63E5A90B2C209FE442B5294
Key-Arg : None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6e fe 98 71 de f9 22 6f-c6 6c b2 75 fb 94 96 3b n..q.."o.l.u...;
0010 - 8e 35 66 14 6c c5 01 29-29 b8 fc 19 f7 dd 5a d8 .5f.l..)).....Z.
0020 - 6f 5b 5d f9 0c 55 f5 61-af 7e a3 fa 71 f1 7e a8 o[]..U.a.~..q.~.
0030 - 61 26 ac ab fc a8 6a b0-43 da 47 fe 73 88 85 5e a&....j.C.G.s..^
0040 - 05 c5 15 30 3a 24 35 dc-60 30 eb 08 1a 1a 96 73 ...0:$5.`0.....s
0050 - 08 98 83 56 86 cf b4 c5-17 42 8c fd a3 f9 02 89 ...V.....B......
0060 - 2d d3 75 1d 54 10 91 04-37 65 41 a2 02 7a 6d 4d -.u.T...7eA..zmM
0070 - db 52 b2 46 67 cb ab 32-39 5f e8 e2 3f 98 5f 1b .R.Fg..29_..?._.
0080 - 69 e7 91 9a cd 76 03 85-09 79 cb c0 85 96 b1 f1 i....v...y......
0090 - c4 bc 18 31 a5 0a 46 d5-4f 22 fd 70 7e 5d 68 08 ...1..F.O".p~]h.
00a0 - 38 5b 36 66 8c ad e9 3a-e5 51 1a aa db 77 08 7d 8[6f...:.Q...w.}
Start Time: 1486065610
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
Best Answer
Simon, looks like you catch situation described in this post. There is no problem with configuration, looks like it's nginx behavior. As well, there could be problems with Let's Encrypt OCSP.