workaround LetsEncrypt OCSP responder bug

tykling · Jan 10, 2025 · aec078c · aec078c
1 parent bf770df
commit aec078c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/client/certgrinder/certgrinder.py b/client/certgrinder/certgrinder.py
@@ -1047,7 +1047,12 @@ def load_ocsp_response(
         """
         with open(path, "rb") as f:
             ocsp_response_data = f.read()
-        return ocsp.load_der_ocsp_response(ocsp_response_data)
+        try:
+            return ocsp.load_der_ocsp_response(ocsp_response_data)
+        except ValueError:
+            # try loading without trailing char, see more at
+            # https://github.com/tykling/certgrinder/issues/759
+            return ocsp.load_der_ocsp_response(ocsp_response_data[:-1])
 
     def get_ocsp(
         self,

diff --git a/docs/certgrinder-changelog.rst b/docs/certgrinder-changelog.rst
@@ -9,6 +9,16 @@ All notable changes to ``certgrinder`` will be documented in this file.
 
 This project adheres to `Semantic Versioning <http://semver.org/>`__.
 
+
+Unreleased
+----------
+
+Fixed
+~~~~~
+
+- Workaround LetsEncrypt OCSP responder bug causing ``ValueError: error parsing asn1 value: ParseError { kind: ExtraData }`` when loading some OCSP responses. Details at https://github.com/tykling/certgrinder/issues/759
+
+
 v0.20.0-beta2 (10-jan-2025)
 ---------------------------