Hello Jarno,
thanks for the response. First of all, it worked!
It was the issue that you mentioned with the 300sec SKEW. I compiled
haproxy with smaller value (30 :) ) and id returns the response :)
The test with the openssl that toy mentioned returns Verified OK. The
problem was the refferrence to the past
Finally, to ease your curiosity, the CA is HARICA ( harica.gr )
Thanks again!
On 6/4/2015 12:50 μμ, Jarno Huuskonen wrote:
Hi,
On Mon, Apr 06, Vasileios Tzimourtos wrote:
**/usr/bin/openssl ocsp -noverify -issuer $ROOT_CERT_FILE -cert
$SERVER_CERT_FILE -url "$OCSP_URL" -no_nonce -header Host `echo
"$OCSP_URL" | cut -d"/" -f3` -respout $OCSP_FILE**
**echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000
$OCSP_FILE)" | socat $HAPROXY_SOCKET stdio**
*
Can you run openssl ocsp w/out -noverify (and maybe -VAfile) ?
So something like:
/usr/bin/openssl ocsp -issuer $ROOT_CERT_FILE \
-cert $SERVER_CERT_FILE -url "$OCSP_URL" -no_nonce \
-header Host `echo "$OCSP_URL" | cut -d"/" -f3` -respout $OCSP_FILE \
[ -VAfile $ROOT_CERT_FILE [-validity_period 300] ]
Running the above script returns that all is OK and that ocsp
response was updated
Do you get any messages about ocsp response if you reload haproxy/check
configuration sometime after creating the ocsp response ?
*/etc/haproxy/certs/mycertificate.crt.pem: good**
** This Update: Apr 6 08:28:46 2015 GMT**
** Next Update: Apr 6 08:33:46 2015 GMT**
**OCSP Response updated!**
Out of curiosity which CA issues responses for only 5min ?
Haproxy defaults.h has:
#define OCSP_MAX_RESPONSE_TIME_SKEW 300
In commit 4f3c87a5d942d4d0649c35805ff4e335970b87d4 there's:
" Haproxy stops serving OCSP response if nextupdate date minus
the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is
in the past.
"
Your problem maybe be that the ocsp response is valid for 5min(300s)
Quick check to test this could be to compile haproxy with
different OCSP_MAX_RESPONSE_TIME_SKEW (< 300) ?
-Jarno
--
Vassilis Tzimourtos
