I am running a job to generate OCSP staples for many our certificates through openssl and two of them are consistently returning an "unauthorized", but are still generating an staple. I had hoped that this might be intermittent and stop happening, but has been persisting for a couple of weeks. The job generates staples for many other certificates which work as expected.
The problem reads the same as this one (not that I'm trying to say they are related).
I will look into this, but as I mentioned we are going through this same process for many other certificate files (50+), all of which are constructed in the same way, so the fact that this only happens for a couple of certificates is a little od.
As far as I am aware the certificate is valid.
cat login.dev.nutmeg.co.uk.pem | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:ce:c6:fc:23:3a:6b:0c:6e:94:07:e6:a7:a2:24:2e:ba:ad
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Dec 15 14:57:03 2020 GMT
Not After : Mar 15 14:57:03 2021 GMT
Subject: CN = login.dev.nutmeg.co.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b4:a5:85:16:0a:a3:75:13:4e:92:f5:09:39:ea:
0f:6f:3d:8a:03:e1:c8:5d:fd:7e:aa:63:0c:6d:ac:
02:d1:41:3e:79:6a:e3:f4:63:32:a3:49:39:c4:43:
dd:5c:2e:17:f8:4a:48:c8:ef:dd:50:7f:37:9a:b9:
bc:b0:a3:35:fe:ba:8d:32:1f:45:d0:39:38:3f:87:
e5:e5:51:88:af:a2:0e:84:0e:a9:4e:99:78:28:4a:
61:09:c6:ce:cb:36:41:17:9b:87:56:96:77:b1:78:
8c:71:88:95:d0:40:e3:88:b5:8d:ac:c7:84:53:97:
13:7c:9f:1c:19:79:15:d0:7f:5b:7e:5c:c8:33:28:
44:8e:9c:04:9c:dc:aa:ee:9b:35:18:09:69:8a:81:
04:21:ea:eb:5a:64:6c:9c:26:e1:42:ea:e1:1e:62:
9a:6e:8f:d8:90:37:63:b6:12:93:35:0e:23:93:de:
95:e2:32:11:29:67:b9:54:e7:9d:34:db:35:51:a6:
33:b6:ab:a8:97:a0:9f:cb:a7:8d:86:83:4e:3a:05:
4f:78:45:a9:2d:3a:2a:4c:91:4c:0c:70:cd:0b:8d:
81:bd:f3:f6:c3:ff:3f:26:b8:b7:66:6e:9f:27:8b:
c8:d9:ab:39:88:aa:74:f5:a7:bf:95:a0:42:38:9c:
33:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
07:AE:73:D2:F5:48:9D:4A:DE:24:A2:B1:2B:C3:B2:92:86:22:C6:8C
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:login.dev.nutmeg.co.uk
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10:
37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA
Timestamp : Dec 15 15:57:04.264 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:16:B0:53:7A:32:98:12:6B:F8:AC:3A:D4:
8B:97:12:46:07:92:2D:22:64:96:65:E2:8D:58:57:AA:
9B:1B:D7:A3:02:21:00:D0:A1:FF:69:37:DC:C2:4C:07:
5B:A1:0A:EB:DB:58:34:1F:C9:4E:65:60:10:DB:8A:D7:
8A:A4:5B:44:F3:B7:7A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7D:3E:F2:F8:8F:FF:88:55:68:24:C2:C0:CA:9E:52:89:
79:2B:C5:0E:78:09:7F:2E:6A:97:68:99:7E:22:F0:D7
Timestamp : Dec 15 15:57:04.294 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:2F:DA:B8:24:3E:7F:31:73:5D:0E:E7:58:
29:73:6D:49:0F:41:9F:91:3B:05:EF:9F:A9:0D:74:81:
80:C9:F7:A4:02:21:00:DC:8D:17:13:1B:4F:63:57:9A:
59:98:DD:EA:87:1B:6E:5A:9D:40:AD:ED:6A:AD:7F:C3:
11:4D:C0:C5:5B:43:24
Signature Algorithm: sha256WithRSAEncryption
19:75:c4:b4:53:74:9a:8f:36:91:0e:77:41:4e:9f:d4:c0:0a:
60:7b:bc:80:bf:90:b4:a5:fa:51:9f:fb:00:f6:01:be:36:0e:
33:da:59:ef:39:4f:46:8f:2a:2d:bf:e6:72:b8:48:13:6d:3c:
fe:21:c3:94:52:27:f8:85:63:bc:51:4c:18:14:93:6c:5d:82:
f0:1e:59:17:5c:f5:10:36:65:1e:90:14:18:d5:3e:67:1d:9e:
c1:56:e6:1c:a0:2a:12:52:8b:9f:4c:fe:e1:8f:a4:1b:84:eb:
aa:4f:3d:ff:25:17:b7:43:e8:34:1a:d0:27:8e:4c:9b:d5:4b:
99:f5:d9:ca:33:b9:cf:6e:9c:44:01:f2:2a:8d:aa:57:07:2e:
79:7e:56:a8:d0:f4:7c:a0:2a:cf:1d:3b:9e:b5:e2:db:d9:29:
f5:43:95:1d:33:3a:0b:de:e6:b8:22:22:80:7c:b4:1a:a7:09:
ab:00:6e:5e:81:b1:42:10:12:ad:c1:9f:84:85:e3:78:7c:94:
c6:76:b0:89:26:ea:84:e9:45:06:9b:88:01:52:68:18:39:ba:
66:65:a2:d5:68:92:58:0b:55:ee:86:6f:4e:71:b3:f8:eb:cb:
71:1f:f3:e0:2b:02:ad:0e:df:0c:64:3e:10:6c:c2:9e:1e:c7:
9d:f4:73:52
@jsha. Apologies for pinging you directly, but you have liked the issue and are a LE engineer, so I wondered if you had any additional insight on this?
Ah, sorry for stealth liking and not replying. I went off to check our metrics and see if we were serving larger than normal numbers of unauthorized responses, found that we were not, and forgot to come back with an updated.
We can return unauthorized for a variety of reasons: the request was malformed; the issuer name or issuer key hash in the request didn't match any of ours; the serial does not exist.
Can you run your openssl command with -reqout nutmeg-request.req, and then share the .req file? It will have an OCSP request body, which doesn't contain any secret information, just the issuer info and the serial. Discourse is picky about what types you can upload, but if you base64 encode it and save as a .txt it should work.
Thanks! The OCSP requests you are sending are for an expired certificate. Here's how I checked:
$ base64 -d <<<MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgM5e9E+brd00yGdSuU41vpeBw== > rcjames.req
$ openssl ocsp -text -reqin rcjames.req
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03397BD13E6EB774D3219D4AE538D6FA5E07
$ wget https://acme-v02.api.letsencrypt.org/acme/cert/03397BD13E6EB774D3219D4AE538D6FA5E07
--2021-02-15 10:09:04-- https://acme-v02.api.letsencrypt.org/acme/cert/03397BD13E6EB774D3219D4AE538D6FA5E07
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 2606:4700:60:0:f53d:5624:85c7:3a2c, 172.65.32.248
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|2606:4700:60:0:f53d:5624:85c7:3a2c|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3575 (3.5K) [application/pem-certificate-chain]
Saving to: ‘03397BD13E6EB774D3219D4AE538D6FA5E07’
03397BD13E6EB774D3219D4AE538D6FA5E07 100%[=====================================================================================================================>] 3.49K --.-KB/s in 0s
2021-02-15 10:09:05 (278 MB/s) - ‘03397BD13E6EB774D3219D4AE538D6FA5E07’ saved [3575/3575]
$ openssl x509 -text -noout -in 03397BD13E6EB774D3219D4AE538D6FA5E07
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:39:7b:d1:3e:6e:b7:74:d3:21:9d:4a:e5:38:d6:fa:5e:07
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Nov 6 12:48:31 2020 GMT
Not After : Feb 4 12:48:31 2021 GMT
Subject: CN = login.dev.nutmeg.co.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:d3:65:c3:f3:ac:5f:0e:df:96:5e:25:d0:5c:
a8:22:31:9f:19:f0:f7:da:89:55:4d:eb:05:1c:3d:
b8:f0:6c:14:bf:64:92:24:fd:38:86:e9:09:66:18:
b0:09:01:e7:fe:da:fa:a5:f2:5c:04:5f:e2:c4:ee:
03:c0:08:7b:94:2d:14:7b:13:e7:0f:63:10:f9:56:
f9:cb:3a:21:6b:24:05:92:ed:64:ae:d5:8f:bb:f6:
d8:b1:27:f0:d8:f4:c4:4a:9d:09:cd:fb:59:a4:34:
e5:e8:5a:40:0f:98:ba:3f:a3:c1:1d:10:16:2e:68:
8a:91:14:4b:d4:ca:38:c8:c1:c2:ef:1a:d9:91:90:
2a:47:8a:dd:36:24:f9:e8:c5:ea:e5:ac:b9:a5:fe:
fd:6e:1d:df:f3:e0:b3:b8:64:20:4a:bf:4d:c5:8d:
3f:53:51:2b:e3:03:46:17:37:02:9e:d4:70:fa:d8:
60:62:34:02:2c:b3:5f:eb:8e:e9:9e:de:45:1f:e9:
86:86:4e:4e:98:05:0a:9e:1a:0c:31:6e:c7:1c:47:
08:1d:78:77:04:6d:9e:23:c0:e6:54:3b:83:6e:d9:
f7:80:f8:f2:43:7b:b7:48:7d:08:5d:76:57:11:d1:
e2:52:17:43:8f:bb:42:34:29:d6:98:5f:2a:17:49:
09:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
C0:6B:C4:87:73:E6:44:95:BF:A9:EF:E5:A9:67:76:01:21:7D:DC:D3
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:login.dev.nutmeg.co.uk
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10:
37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA
Timestamp : Nov 6 13:48:31.545 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:1C:D1:CA:8D:73:2B:E2:4F:3E:3A:D2:56:
0C:ED:7D:1F:F4:FA:30:6B:11:92:AE:A8:DF:B1:A0:A1:
9A:3F:D9:F5:02:20:67:70:51:36:4F:07:B0:37:7A:A1:
6A:76:AE:31:3C:70:55:7C:D1:06:B7:6A:6B:A8:17:E3:
2D:F6:BE:89:0D:28
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7D:3E:F2:F8:8F:FF:88:55:68:24:C2:C0:CA:9E:52:89:
79:2B:C5:0E:78:09:7F:2E:6A:97:68:99:7E:22:F0:D7
Timestamp : Nov 6 13:48:31.615 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:A3:6F:2B:6B:7B:D5:10:E4:FE:C2:66:
95:71:E3:BA:A4:8B:34:00:77:4F:5B:AE:DE:9E:F7:45:
52:5C:B8:22:E7:02:20:53:C5:89:0F:2F:1D:65:20:E4:
5D:F1:E0:10:E7:3A:CC:C8:D8:44:C2:1A:74:E8:0D:25:
77:7F:D7:C6:D6:DF:E3
Signature Algorithm: sha256WithRSAEncryption
4d:64:00:85:b4:fe:0b:f2:3c:c5:6e:9c:86:cb:ed:1a:5d:10:
3c:2a:8e:ee:34:b6:3f:c7:af:8e:77:c5:be:cc:2f:eb:a1:29:
4d:10:06:2d:d4:7c:13:44:f3:6f:4c:e7:4c:f1:26:25:0e:74:
8c:ff:63:c1:9d:2a:e8:11:78:6b:ae:16:bd:33:2a:25:66:5f:
8b:8d:86:03:24:0c:eb:97:91:92:5d:f0:bc:64:21:3a:86:74:
8e:78:7c:c8:f2:81:87:65:79:31:96:fb:e5:e6:a0:8c:2a:8d:
fd:e5:d3:0f:fe:f9:b8:72:18:08:33:19:e9:6b:f1:e7:ca:58:
be:cd:4b:4e:5d:98:dd:3b:ed:df:e0:1b:e3:80:7d:d2:cf:18:
d0:e5:76:f9:a5:01:99:02:3c:b1:58:ca:35:02:b3:99:20:49:
31:9c:f9:b8:92:b9:98:84:96:61:44:61:ba:a0:29:de:4c:b6:
97:04:e6:43:06:3f:9f:bf:b0:9e:73:85:2f:18:2c:11:be:a6:
86:23:29:e3:ae:7c:9e:58:f6:d4:bc:4b:02:55:f7:47:a7:d1:
9e:d8:f0:3f:4b:08:30:44:62:7a:43:59:53:2d:67:12:70:da:
3a:38:16:1d:04:4c:9f:2d:a5:0f:0c:2b:b0:f0:e8:4d:1e:55:
c9:cd:21:db
(summary: Use OpenSSL to parse the OCSP request and find the serial number; fetch the certificate corresponding to that serial number; use OpenSSL to parse that certificate)
Thanks @jsha, that is a really useful insight! It looks like I had two copies of the certificate, an old and a new and the old one was failing. Thank you very much for helping with this.
Yes, this is good, but I continue to see issues.
I went off to check our metrics and see if we were serving larger than normal numbers of unauthorized responses, found that we were not, and forgot to come back with an updated.