Looks like that server has another problem, the URL doesn't have any double slashes, fails also when not encoded, and a request using POST seems to fail as well.
Encoded: http://ocsp.serpro.gov.br/acserprosslv1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTBQ28pKtiXfAbGW%2BhUsNmqSdcYRQQUrRZPS%2FEMvsKKooUY1w1GJZMi480CDQDzmwGvO97JMnso57k%3D Decoded: http://ocsp.serpro.gov.br/acserprosslv1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTBQ28pKtiXfAbGW+hUsNmqSdcYRQQUrRZPS/EMvsKKooUY1w1GJZMi480CDQDzmwGvO97JMnso57k= Taking the base 64 request data from the URL above, and decoding the ASN.1, we can successfully get the OCSP request: https://lapo.it/asn1js/#ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTBQ28pKtiXfAbGW-hUsNmqSdcYRQQUrRZPS_EMvsKKooUY1w1GJZMi480CDQDzmwGvO97JMnso57k On Friday, 8 October 2021 at 23:38:29 UTC+2 [email protected] wrote: > Could this possibly be the same as the problem I'm encountering with OCSP > response for the SERPRO test site (OCSP response not found) when I run this > command? > > curl --verbose --url > http://ocsp.serpro.gov.br/acserprosslv1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTBQ28pKtiXfAbGW%2BhUsNmqSdcYRQQUrRZPS%2FEMvsKKooUY1w1GJZMi480CDQDzmwGvO97JMnso57k%3D > > (Using instructions from https://unmitigatedrisk.com/?p=42) > > See also > https://certificate.revocationcheck.com/active-repositorio.serpro.gov.br > > Thanks, > > Ben > > > On Thu, Oct 7, 2021 at 6:42 PM 'Jacob Hoffman-Andrews' via > [email protected] <[email protected]> wrote: > >> Good advice, thanks for sharing! People interested in this may also be >> interested in reading Let's Encrypt's 2017 postmortem related to the same >> issue: >> https://community.letsencrypt.org/t/may-19-2017-ocsp-and-issuance-outage-postmortem/34922. >> >> Another interesting thing: concatenation happens without regard to whether >> the OCSP URL in a certificate has a trailing slash. If you issue >> certificates where the OCSP URL ends in a trailing slash (rare, I think), >> you'll find that all of your OCSP GET requests start with a doubled slash >> (//). Also, it's worth being cautious about deploying changes that will >> cause large numbers of cache entries to be invalidated. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAN3x4QmJ4_ZEOOq%3DPgLv45NLD1afcqWeKd0M8PR%2B%3D%3DdShh%2BbZA%40mail.gmail.com >> >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAN3x4QmJ4_ZEOOq%3DPgLv45NLD1afcqWeKd0M8PR%2B%3D%3DdShh%2BbZA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f32d6497-bcae-4005-94c5-73ed87a1b451n%40mozilla.org.
