Hi Kathleen and John,
We are looking into this issue. We are not able to replicate the problem and we are not certain what the https://tls-observatory.services.mozilla.com/static/ev-checker.html is doing, exactly.
exit status 1, Stderr: Error making OCSP request to ' seems to be some problem with the tool and is not indicative of an error at the OCSP responder's side. Unfortunately we could not check the source code of your tool because https://github.com/mozkeeler/ev-checker only points to the web site where the tool is available.
All of our OCSP responders (for the 2015 and 2021 hierarchies) are using the same infrastructure and software. The 2015 hierarchy seems to work ok with your tool but not the 2021 one. Perhaps it's because the SubCA Certificate from the 2021 hierarchy does not contain an OCSP URI in the AIA extension so there is no OCSP check for that, as it is allowed according to the latest BRs, but that's just a guess.
We confirmed the correct behavior of our OCSP responders using OpenSSL which you can reproduce by following these steps:
Download the CA Certificates:
wget -q http://repo.harica.gr/certs/HaricaECCEVTLSSubCAR1.pem http://repo.harica.gr/certs/HARICA-EV-TLS-Sub-E1.pem http://repo.harica.gr/certs/HARICA-TLS-Root-2021-ECC.pem
For checking the 2015 ECC hierarchy (Serial Number from https://haricaeccrootca2015-valid-ev.harica.gr):
openssl ocsp -url http://ocsp.harica.gr -issuer HaricaECCEVTLSSubCAR1.pem -serial 0x481EB14FC4D8F65BF88476D1B5088897 -no_nonce
Response verify OK
This Update: Oct 12 08:26:28 2021 GMT
Next Update: Oct 14 08:26:28 2021 GMT
For checking the 2021 ECC TLS hierarchy (Serial Number from https://tls-ecc-valid-ev.root2021.harica.gr)
openssl ocsp -url http://ocsp.harica.gr -CAfile HARICA-TLS-Root-2021-ECC.pem -issuer HARICA-EV-TLS-Sub-E1.pem -serial 0x767FE746364554331D926EF9F8836FA7 -no_nonce
Response verify OK
This Update: Oct 12 08:30:57 2021 GMT
Next Update: Oct 14 08:30:57 2021 GMT
We also checked our OCSP responders using https://certificate.revocationcheck.com. We run it more than 10 times and we had zero cases where an error was thrown. I will attach the reports.
If you have any concerns about the reliability of HARICA's OCSP servers, please provide us with more information so we can troubleshoot.