[Solved] Cannot verify ocsp

Hello,

I apologize in advance if my statements are confusing. I am not a native English speaker.
I am typically using the following syntax below with other CAs for an ocsp primer. example.com is a domain enlisted in the beta invite.

openssl ocsp -noverify -no_nonce -respout /home/username/ssl/certs/ocsp.resp -issuer /etc/letsencrypt/live/example.com/fullchain.pem -cert /etc/letsencrypt/live/example.com/cert.pem -url openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text | grep "OCSP - URI:" | cut -d: -f2,3

For other CAs it would return something like:

This Update: Nov 5 15:58:37 2015 GMT
Next Update: Nov 12 15:58:37 2015 GMT

When I use one of the Let's Encrypt certs, I get the following output instead:

Error parsing URL
OCSP utility
Usage ocsp [options]
where options are
-out file output filename
-issuer file issuer certificate
-cert file certificate to check
-serial n serial number to check
-signer file certificate to sign OCSP request with
-signkey file private key to sign OCSP request with
-sign_other file additional certificates to include in signed request
-no_certs don't include any certificates in signed request
-req_text print text form of request
-resp_text print text form of response
-text print text form of request and response
-reqout file write DER encoded OCSP request to "file"
-respout file write DER encoded OCSP reponse to "file"
-reqin file read DER encoded OCSP request from "file"
-respin file read DER encoded OCSP reponse from "file"
-nonce add OCSP nonce to request
-no_nonce don't add OCSP nonce to request
-url URL OCSP responder URL
-host host:n send OCSP request to host on port n
-path path to use in OCSP request
-CApath dir trusted certificates directory
-CAfile file trusted certificates file
-trusted_first use trusted certificates first when building the trust chain
-VAfile file validator certificates file
-validity_period n maximum validity discrepancy in seconds
-status_age n maximum status age in seconds
-noverify don't verify response at all
-verify_other file additional certificates to search for signer
-trust_other don't verify additional certificates
-no_intern don't search certificates contained in response for signer
-no_signature_verify don't check signature on response
-no_cert_verify don't check signing certificate
-no_chain don't chain verify response
-no_cert_checks don't do additional checks on signing certificate
-port num port to run responder on
-index file certificate status index file
-CA file CA certificate
-rsigner file responder certificate to sign responses with
-rkey file responder key to sign responses with
-rother file other certificates to include in response
-resp_no_certs don't include any certificates in response
-nmin n number of minutes before next update
-ndays n number of days before next update
-resp_key_id identify reponse by signing certificate key ID
-nrequest n number of requests to accept (default unlimited)
- use specified digest in the request
140369926551368:error:27072079:OCSP routines:OCSP_parse_url:error parsing url:ocsp_lib.c:254:

The URL however seems to be correct?

openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text | grep "OCSP - URI:" | cut -d: -f2,3

returns

http://ocsp.int-x1.letsencrypt.org/

Further on, I am slightly confused. In my other CA's issuer file I have the intermediate and the root cert. In the fullchain.pem however I can only see the cert and 1 intermediate?

1 Like

There are two problems I see in your command line:

  • You forgot to pass the URL itself after the -url flag. You should have -url http://ocsp.int-x1.letsencrypt.org/ in the command line.
  • The -issuer flag points to fullchain.pem, but it should point to chain.pem, which contains the intermediate.

In my other CA's issuer file I have the intermediate and the root cert. In the fullchain.pem however I can only see the cert and 1 intermediate?

This is expected. The files under /etc/letsencrypt are intended for use in setting up web servers. If you'd like to download the DST Root X3 or ISRG Root X1 certificates, you can do so at Chain of Trust - Let's Encrypt.

1 Like

Thank you so much. You pointed me in the right direction.

After pointing to the proper issuer, I still got this error:

Error querying OCSP responsder
139953590998856:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request

It can however easily be fixed by appending the following to complete the curl one liner:

-header "HOST" "ocsp.int-x1.letsencrypt.org"

I hope this may help anyone who runs into this.

Off topic:
I love the heat map by the way:
https://plot.ly/~letsencrypt/13/ocsp-updates/

I can't wait for you to go live. We're now ready to offer traffic encryption on all hosted sites on our cPanel servers with nginx automatically. :slight_smile:

5 Likes