[1.3.1] OCSP renew fails with letsencrypt

[lkarsten]

With Hitch 1.3.1 and a let's encrypt certificate, I get the following logged when HUPing hitch:

Aug 22 09:14:48 lima hitch[2097]: Worker 0 (gen: 0) in state EXITING is now exiting.
Aug 22 09:14:48 lima hitch[2096]: {core} Child 2097 exited with status 0.
Aug 22 09:14:48 lima hitch[2573]: {core} Process 0 online
Aug 22 09:14:48 lima hitch[2574]: {ocsp} OCSP_sendreq_nbio failed for ocsp.int-x3.letsencrypt.org:80.

Expected: no ocsp error logged, perhaps something logged about a staple successfully being downloaded.

There are no files in the directory configured as ocsp-dir in hitch.conf. ownership hitch:root and perms are 0700.

s_client confirms that there is no staple attached in the response:

$ echo "" | openssl s_client -connect hostname:443 -tlsextdebug -status 
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
OCSP response: no response sent
[..]

I don't know if this is because hitch is misbehaving, or if let's encrypt servers are having issues.

[sesse]

This also happens for StartSSL.

Aug 24 23:05:19 cirkus hitch[20549]: 20160824T230519.614083 [20553] {ocsp} OCSP_sendreq_nbio failed for ocsp.startssl.com:80.

[HLeithner]

@daghf anything new about this issue?

[sesse]

https://trac.nginx.org/nginx/ticket/465 came up on IRC. Probably relevant (lack of HTTP/1.1).

[daghf]

@HLeithner @lkarsten @sesse

I commited a fix just now. Could you try running it again?