OCSP Errors on repo.turris.cz

milkandhoney · May 22, 2025, 6:12am

While I can access it with my browser without issues, and alos hardenize doesn’t show any issues, all routers keep sending me the following since last night:

Error notifications
===================
Updater execution failed:
line not found
ERROR:
runtime: [string "requests"]:451: [string "utils"]:441: 
    Getting URI (https://repo.turris.cz/hbs/omnia/lists/pkglists/net_monitoring.lua) failed: 
    No OCSP response received
line not found
line not found

Looks like an issue with Let’s encrypt recent OCSP policy changes.

moeller0 · May 22, 2025, 6:29am

+1; I seem to have the same issue. I have not done anything yet, not even tried to reboot.

freed00m · May 22, 2025, 6:36am

reboot does not help

schoenbi · May 22, 2025, 6:41am

+1. I am having the same issue

Fivestars · May 22, 2025, 7:01am

Same issue as well on TurrisOS 7.1.4 for a couple of hours now.

winkler · May 22, 2025, 7:04am

+1; The same thing is happening on my box. 4 emails so far, first at 2:48, last at 8:53.

Turris 1.1 with OS 7.1.4..

eldraco · May 22, 2025, 7:09am

+1 also for me it is doing this error

TheLastProject · May 22, 2025, 7:10am

In the hope of helping debug this, my first notification email for a failed update arrived at 1:22AM Amsterdam time (GMT+2).

I’m using a Turris Mox with Turris OS 7.1.4. Seeing the other replies, it seems probably every single person on the HBS branch is affected. Maybe other branches too.

Very curious to see if this could even be fixed without manual steps by end users, given the updater is now broken Good luck dev/ops and sorry for the stressful day ahead given the size of this outage!

Loocky · May 22, 2025, 7:34am

The Let’s Encrypt authority has discontinued support for OCSP. The problem occurred after a certificate exchange at the repo.turris.cz address.
As milkandhoney wrote.

This is a server side problem. I’m curious how the Turris team will handle this, because OCSP verification is enabled on the client (router) side, but the server certificate no longer provides this method. I doubt there is another way to bulk change/turn off this verification on the client side.
If they have a backup of the original certificate that should still be valid (Let’s Encrypt replaces them ahead of time), they can re-upload it to the server and issue a patch before the original one finally expires.
Fingers crossed I’m turning off updates for now, hopefully that will stop the SPAM

t-stefan · May 22, 2025, 8:42am

Yes, certificate of repo.turrs.cz was renewed this night:

balvik · May 22, 2025, 8:44am

Hmm, that explain’s what I’m seeing. I expect everyone will be seeing this from midnight last night. What are the workarounds? Anything more sophisticated that disabling updates or email notifications to prevent hourly spam?

Patryk · May 22, 2025, 9:14am

There are two work items Turris Team to do:

Temporarily switch to a CA that provides OCSP, e.g. Google Trust Services
update pkgupdate (or other relevant piece of software) not to assume that a certificate always has a OCSP URL in the Authority Information Access field.

Pepe · May 22, 2025, 10:20am

I’ve just received information from @ljelinek that he exactly did this and I can confirm that it works. Next step, of course, is to release new Turris OS version with some modifications to Updater.

goodmirek · May 22, 2025, 10:52pm

@ljelinek It just happened to me again.

ljelinek · May 22, 2025, 11:19pm

Oh, my mistake (unsuccessful deactivation of automatic renewal) Resolved again, hopefully permanently (until a fixed version of updater will be released).

system · May 25, 2025, 11:19pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.