GithubHelp home page GithubHelp logo

Comments (5)

pierky avatar pierky commented on July 17, 2024

Hello,

that error means that the openssl ocsp command failed the validation of the OCSP response for some reason.

If you add the --keep-temp option to the command that you are using you can further inspect the content of the temporary directory that this script creates to store temporary files, OCSP responses and openssl output.

Please also consider to try the --partial-chain and --noverify options to get a better view of what the reason behind this could be.

from haproxy-ocsp-stapling-updater.

timstoop avatar timstoop commented on July 17, 2024

Hm, with --noverify I get: OCSP response: Responder Error: unauthorized (6).

Could you provide some more guidance? Is there a way to get a more elaborate message from the OCSP server to see why it's not allowing me to check it?

from haproxy-ocsp-stapling-updater.

timstoop avatar timstoop commented on July 17, 2024

With --partial-chain I get: Error processing '/etc/haproxy/ssl/193.67.138.64/wildcard.customer.tld_haproxy.pem': can't validate the EE certificate against the extracted chain. Might it be that we're using an incorrect intermediate here?

EDIT: Nope, that doesn't seem to be it:

/tmp/hapos-upd.bx0hrqB0vD# openssl verify -CAfile chain.pem -verbose ee.pem 
ee.pem: OK

from haproxy-ocsp-stapling-updater.

pierky avatar pierky commented on July 17, 2024

Hello @timstoop,

I ran some tests and it seems your chain is in an incorrect order.

The correct order should be the following:

Fingerprint=13:27:59:E5:1C:1E:8C:C2:60:20:EA:4B:A7:79:D2:9C:81:14:56:14 - EE certificate
Fingerprint=33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39
Fingerprint=F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0
Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68

You have to edit the .pem file and reorder the certificates. In that way you'll be able to obtain a valid OCSP response.

Closing this now, but please feel free to reopen it if this doesn't work for you.
I'll file a new issue to track a feature request, something that could produce a warning in cases like this one.

Thanks.

from haproxy-ocsp-stapling-updater.

timstoop avatar timstoop commented on July 17, 2024

That solved the issue indeed! Thank you very much for your help, really appreciated.

from haproxy-ocsp-stapling-updater.

Related Issues (7)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.