OCSP responder not present?
6,434
Regarding 1)
OCSP has a "Response signing key/certificate pair" used to authenticate the response. This certificate is given in the response to:
$ openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text
-----BEGIN CERTIFICATE-----
[...]
UMiqxBNugzQ=
-----END CERTIFICATE-----
So let's save that to signcert.pem and see what's up:
$ openssl ocsp -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text | sed -n '/-----BEGIN/,/-----END/p' > signcert.pem
$ openssl verify signcert.pem
signcert.pem: C = BE, O = GlobalSign nv-sa, CN = GlobalSign OV CA - SHA256 - G2 OCSP responder - 2, serialNumber = 20150914163800
error 20 at 0 depth lookup:unable to get local issuer certificate
Okay... Guess we're missing the intermediate?
$ openssl x509 -noout -text -in signcert.pem | grep -e 'Issuer:' -e '.crt'
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
OK, no issuer URI field... That's just dirty. Let's fetch it from the CA and form a chain:
$ curl https://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt | openssl x509 -inform der -outform pem >> signcert.pem
Ok, this should w...:
$ openssl ocsp -VAfile signcert.pem -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text
[...]
-----BEGIN CERTIFICATE-----
[...]
/TiSgNCpgNg=
-----END CERTIFICATE-----
Response Verify Failure
... WTF ?! Oh, different signing cert?!
$ cat >> signcert.pem
-----BEGIN CERTIFICATE-----
MIID9DCCAtygAwIBAgISESEjxqkycL2lZt0CfS9OgUN2MA0GCSqGSIb3DQEBCwUA
MGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYD
VQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hB
MjU2IC0gRzIwHhcNMTUwODIwMTgxOTQxWhcNMTUxMTIwMTgxOTQxWjB9MQswCQYD
VQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTE6MDgGA1UEAxMxR2xv
YmFsU2lnbiBPViBDQSAtIFNIQTI1NiAtIEcyIE9DU1AgcmVzcG9uZGVyIC0gMTEX
MBUGA1UEBRMOMjAxNTA4MjAyMDE4MDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC+8xxGkIda/04pKK3AXuLz8S8EH4qouLbP/lrd+DFY1oI8fU4kosO+
WjvBPMeK1ZvvR6YjcNhIRsoYsDWdvhMv8/qvu1GQBrs1oC2910lg3fGIR48LR6TR
+XYC1jFv0IHaF5vp+e2nu3diJi7FKHMbP5jVdd1e6cuEcrq+pEW7WkPDQnhzh6U/
GGdhxbH8uk4KPH42Os0Rf6la99EyXzJZ8zccy0ySGnIOF5Km1efXg0qwx3PEk3MQ
fbFG3n4zE7lwBsrEgACI+V9K50tWfJIAm8Ll/xpGhvqF+6swCr0WExMcqaNpdVsf
hiHFD18k8v4R6t7ht+cWx1YvSSA+/hz3AgMBAAGjgYQwgYEwCQYDVR0TBAIwADAO
BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYJKwYBBQUHMAEF
BAIFADAdBgNVHQ4EFgQU8haQnheoUW3t3+j0OaxZMUgEjIkwHwYDVR0jBBgwFoAU
lt5h8b0cFilTHMDMfTuDAEDmGnwwDQYJKoZIhvcNAQELBQADggEBAH0MXy5hmHXc
G88ntZ2YcM3C6AAVqpfZ2+KYwL06cjmAFvNx6nWUN2w5MD59fiQC3DENCvlEGe29
d9+zsPM4hwEVRGKBIDueXycI0BNRAViacaks4OqRcc8gi1SBE5j94yt1kfp6VBhc
yQBU4Cg5UBy4OA3SsnYdt/Ur1Xm+BDlpi5WWROM1O5UECquLU3/P1prxF78EkTdv
OSGtP1VLMS47hk5v+sUC3hnfwUyKnr2oiVV6CvxxLOipdeDGl68dVisauNf7Dp9H
YvO8OLkN9es+R2AV5iFIzLWHjsQxLOrY18bi6N0zMP7tuZIRSVpil+b49KJ8T/e1
/TiSgNCpgNg=
-----END CERTIFICATE-----
^D
Fingers crossed...
$ openssl ocsp -VAfile signcert.pem -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com"
Response verify OK
wikipedia.pem: good
This Update: Sep 15 17:01:20 2015 GMT
Next Update: Sep 16 05:01:20 2015 GMT
Hell yeah!
Related videos on Youtube
08 : 46
Implementing OCSP Follow Up
06 : 40
Revocation of digital certificates: CRL, OCSP, OCSP stapling
17 : 23
10. Install and Configure the OCSP Responder Role service
09 : 42
Certificates Gone Bad! Certificate Revocation Techniques Explained (CRL, OCSP, OCSP Stapling)
44 : 23
Implementing OCSP
03 : 12
DevOps & SysAdmins: OCSP responder not present?
Author by
Robert Weaver
Updated on September 18, 2022Comments
-
Robert Weaver almost 2 years
Am trying to set up OCSP validation routines, and so want to be comfortable with the environment first. Found excellent tutorials at for example OpenSSL: Manually verify a certificate against an OCSP.
Multiple questions arise, so please bear with me.
There have been some changes since that tutorial, but I think the gist is:
1) snag the certificate you want to verify, e.g.
openssl s_client -connect wikipedia.org:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > wikipedia.pem2) build the certificate chain, e.g.
openssl s_client -connect wikipedia.org:443 -showcerts 2>&1 < /dev/null > chain.pemand then edit appropriately. I found that the above doesn't provide the self-signed CA certificate, GlobalSignRootCA, so added that in.
3) Determine the ocsp URI, e.g.
openssl x509 -noout -ocsp_uri -in wikipedia.pemwhich returns
http://ocsp2.globalsign.com/gsorganizationvalsha2g24) Invoke the openssl ocsp client, e.g.
openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2which returns
[woody@oc2042275410 testCerts]$ openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http ://ocsp2.globalsign.com/gsorganizationvalsha2g2 Error querying OCSP responsder 140062843348808:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden(responsder?)
I read that this is due to a virtualization issue, so
openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com"which yields
Response Verify Failure 140400906352456:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate wikipedia.pem: good This Update: Apr 28 23:10:10 2015 GMT Next Update: Apr 29 11:10:10 2015 GMTSo I'm getting that the OCSP returned that the cert is good, but this leads to question 1: why the error 'unable to get local issuer certificate'?
Ok, trying again with Google. Same routine, capturing cert, checking for OCSP URI:
openssl x509 -noout -ocsp_uri -in google.pemyields
http://clients1.google.com/ocsp.Fair enough:
openssl ocsp -issuer gchain.pem -cert google.pem -url http://clients1.google.com/ocsp Error querying OCSP responsder 140433209165640:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=404,Reason=Not FoundNot Found? That seemed surprising. Checking with wireshark:
> POST /ocsp HTTP/1.0 > Content-Type: application/ocsp-request > Content-Length: 112 > 0n0l0E0C0A0...+..........j.....p.I.#z...(~d...U.. [.5...J:.......l..9.....{6.#0!0...+.....0......].O.9..}d`.L... < ~HTTP/1.0 404 Not Found < Content-Type: text/html; charset=UTF-8 < X-Content-Type-Options: nosniff < Date: Tue, 28 Apr 2015 22:42:40 GMT < Server: sffe < Content-Length: 1429 < X-XSS-Protection: 1; mode=block < Alternate-Protocol: 80:quic,p=1 < < <!DOCTYPE html> < <html lang=en> < <meta charset=utf-8> < <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> < <title>Error 404 (Not Found)!!1</title> < <style> < *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/errors/logo_sm_2.png) no-repeat}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/errors/logo_sm_2_hr.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:55px;width:150px} < </style> < <a href=//www.google.com/><span id=logo aria-label=Google></span></a> < <p><b>404.</b> <ins>That...s an error.</ins> < <p>The requested URL <code>/ocsp</code> was not found on this server. <ins>That...s all we know.</ins>So that is question 2: is this correct, the OCSP was moved, and isn't present at the OCSP URI? Is it perhaps that the server has uniformly moved to OCSP stapling, and doesn't consider the OCSP server important any longer?
-
Admin almost 9 yearsDid you try adding -noverify to openssl ocsp? -
Robert Weaver almost 9 years-noverify works in the first case, although that doesn't explain the error in question 1, just removes it. I still don't understand why it can't find the local issuer certificate.
-