From ac02cd9cb87ad8cd9e8080f13d7ccd36d9f0702b Mon Sep 17 00:00:00 2001
From: Peter Eckersley <pde@eff.org>
Date: Mon, 19 Dec 2016 17:36:37 -0800
Subject: [PATCH] ocsp checking needs -verify_other

https://community.letsencrypt.org/t/unable-to-verify-ocsp-response/7264
---
 certbot/ocsp.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/certbot/ocsp.py b/certbot/ocsp.py
index cb3dd0610..f4c986609 100644
--- a/certbot/ocsp.py
+++ b/certbot/ocsp.py
@@ -40,9 +40,10 @@ def revoked_status(cert_path, chain_path):
             "-issuer", chain_path,
             "-cert", cert_path,
             "-url", url,
-            "-CAfile", chain_path])
+            "-CAfile", chain_path,
+            "-verify_other", chain_path])
     except errors.SubprocessError:
-        return "(OCSP Failure)"
+        return "OCSP Failure"
 
     return _translate_ocsp_query(cert_path, output)