[Solved] Cannot verify ocsp


#1

Hello,

I apologize in advance if my statements are confusing. I am not a native English speaker.
I am typically using the following syntax below with other CAs for an ocsp primer. example.com is a domain enlisted in the beta invite.

openssl ocsp -noverify -no_nonce -respout /home/username/ssl/certs/ocsp.resp -issuer /etc/letsencrypt/live/example.com/fullchain.pem -cert /etc/letsencrypt/live/example.com/cert.pem -url openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text | grep “OCSP - URI:” | cut -d: -f2,3

For other CAs it would return something like:

This Update: Nov 5 15:58:37 2015 GMT
Next Update: Nov 12 15:58:37 2015 GMT

When I use one of the Let’s Encrypt certs, I get the following output instead:

Error parsing URL
OCSP utility
Usage ocsp [options]
where options are
-out file output filename
-issuer file issuer certificate
-cert file certificate to check
-serial n serial number to check
-signer file certificate to sign OCSP request with
-signkey file private key to sign OCSP request with
-sign_other file additional certificates to include in signed request
-no_certs don’t include any certificates in signed request
-req_text print text form of request
-resp_text print text form of response
-text print text form of request and response
-reqout file write DER encoded OCSP request to “file”
-respout file write DER encoded OCSP reponse to “file”
-reqin file read DER encoded OCSP request from “file”
-respin file read DER encoded OCSP reponse from “file”
-nonce add OCSP nonce to request
-no_nonce don’t add OCSP nonce to request
-url URL OCSP responder URL
-host host:n send OCSP request to host on port n
-path path to use in OCSP request
-CApath dir trusted certificates directory
-CAfile file trusted certificates file
-trusted_first use trusted certificates first when building the trust chain
-VAfile file validator certificates file
-validity_period n maximum validity discrepancy in seconds
-status_age n maximum status age in seconds
-noverify don’t verify response at all
-verify_other file additional certificates to search for signer
-trust_other don’t verify additional certificates
-no_intern don’t search certificates contained in response for signer
-no_signature_verify don’t check signature on response
-no_cert_verify don’t check signing certificate
-no_chain don’t chain verify response
-no_cert_checks don’t do additional checks on signing certificate
-port num port to run responder on
-index file certificate status index file
-CA file CA certificate
-rsigner file responder certificate to sign responses with
-rkey file responder key to sign responses with
-rother file other certificates to include in response
-resp_no_certs don’t include any certificates in response
-nmin n number of minutes before next update
-ndays n number of days before next update
-resp_key_id identify reponse by signing certificate key ID
-nrequest n number of requests to accept (default unlimited)
- use specified digest in the request
140369926551368:error:27072079:OCSP routines:OCSP_parse_url:error parsing url:ocsp_lib.c:254:

The URL however seems to be correct?

openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text | grep "OCSP - URI:" | cut -d: -f2,3

returns

http://ocsp.int-x1.letsencrypt.org/

Further on, I am slightly confused. In my other CA’s issuer file I have the intermediate and the root cert. In the fullchain.pem however I can only see the cert and 1 intermediate?


#2

There are two problems I see in your command line:

  • You forgot to pass the URL itself after the -url flag. You should have -url http://ocsp.int-x1.letsencrypt.org/ in the command line.
  • The -issuer flag points to fullchain.pem, but it should point to chain.pem, which contains the intermediate.

In my other CA’s issuer file I have the intermediate and the root cert. In the fullchain.pem however I can only see the cert and 1 intermediate?

This is expected. The files under /etc/letsencrypt are intended for use in setting up web servers. If you’d like to download the DST Root X3 or ISRG Root X1 certificates, you can do so at https://letsencrypt.org/certificates/.


#3

Thank you so much. You pointed me in the right direction.

After pointing to the proper issuer, I still got this error:

Error querying OCSP responsder
139953590998856:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request

It can however easily be fixed by appending the following to complete the curl one liner:

-header "HOST" "ocsp.int-x1.letsencrypt.org"

I hope this may help anyone who runs into this.

Off topic:
I love the heat map by the way:
https://plot.ly/~letsencrypt/13/ocsp-updates/

I can’t wait for you to go live. We’re now ready to offer traffic encryption on all hosted sites on our cPanel servers with nginx automatically. :slight_smile: