When the ocsp updater script runs into certain openssl error-responses, it's confused as to what exactly the problem is and doesn't fail until a much later step. OpenSSL is partly to blame here for returning exit status zero in these cases (IMHO), but either way we should deal with these cases properly and error out immediately instead of proceeding with further validation checks that are destined to fail.
Related Gerrit Patches:
|operations/puppet : production||update-ocsp: refactor validation, check cert life|
|Resolved||BBlack||T109740 ocsp updater: re-enable automatic updates|
|Resolved||BBlack||T109737 ocsp updater: handle openssl "trylater" and similar more-gracefully|