Currently, automatic updates of the OCSP Stapling file are disabled, with a manual global hack in place that needs regular tending. Re-enable once basic issues are confirmed fixed and/or GlobalSign seems to have stabilized their outputs.
Related Gerrit Patches:
|operations/puppet : production||Revert "disable ocsp updater cron for now"|
|Resolved||BBlack||T109740 ocsp updater: re-enable automatic updates|
|Resolved||BBlack||T109738 ocsp updater: validate the signature expiry lifetime|
|Resolved||BBlack||T109737 ocsp updater: handle openssl "trylater" and similar more-gracefully|