letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

OCSP: Don't warn on expired responses (#5507) 

Downgrade the "ocsp response expired" log from Warning to Info, as
this is a very common occurrence and should be expected.

Fixes #5501
This commit is contained in:
Aaron Gable 2021-07-09 10:01:20 -07:00 committed by GitHub
parent 5586909446
commit 9a12ba7f7f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/ocsp-responder/main.go
View File

@ -181,11 +181,11 @@ func (src *dbSource) Response(req *ocsp.Request) ([]byte, http.Header, error) {
src.log.AuditErrf("Looking up OCSP response: %s", err)
return nil, nil, err
}
if certStatus.OCSPLastUpdated.IsZero() {
src.log.Warningf("OCSP Response not sent (ocspLastUpdated is zero) for CA=%s, Serial=%s", hex.EncodeToString(req.IssuerKeyHash), serialString)
if certStatus.IsExpired {
src.log.Infof("OCSP Response not sent (expired) for CA=%s, Serial=%s", hex.EncodeToString(req.IssuerKeyHash), serialString)
return nil, nil, bocsp.ErrNotFound
} else if certStatus.IsExpired {
src.log.Warningf("OCSP Response not sent (expired) for CA=%s, Serial=%s", hex.EncodeToString(req.IssuerKeyHash), serialString)
} else if certStatus.OCSPLastUpdated.IsZero() {
src.log.Warningf("OCSP Response not sent (ocspLastUpdated is zero) for CA=%s, Serial=%s", hex.EncodeToString(req.IssuerKeyHash), serialString)
return nil, nil, bocsp.ErrNotFound
} else if !src.filter.responseMatchesIssuer(req, certStatus) {
src.log.Warningf("OCSP Response not sent (issuer and serial mismatch) for CA=%s, Serial=%s", hex.EncodeToString(req.IssuerKeyHash), serialString)