Hi, On Mon, Apr 06, Vasileios Tzimourtos wrote: > It was the issue that you mentioned with the 300sec SKEW. I compiled > haproxy with smaller value (30 :) ) and id returns the response :)
30s is probably too small: If client's clock is off by > 30s then it's possible that haproxy send ocsp response that client thinks has expired. Maybe HARICA could issue responses that are valid for longer than 5m ? Or if this is not possible maybe something like 200 for SKEW and update responses every 90s(<100) ? -Jarno > The test with the openssl that toy mentioned returns Verified OK. > The problem was the refferrence to the past > > Finally, to ease your curiosity, the CA is HARICA ( harica.gr ) > > Thanks again! > > > On 6/4/2015 12:50 μμ, Jarno Huuskonen wrote: > >Hi, > > > >On Mon, Apr 06, Vasileios Tzimourtos wrote: > >>**/usr/bin/openssl ocsp -noverify -issuer $ROOT_CERT_FILE -cert > >>$SERVER_CERT_FILE -url "$OCSP_URL" -no_nonce -header Host `echo > >>"$OCSP_URL" | cut -d"/" -f3` -respout $OCSP_FILE** > >>**echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 > >>$OCSP_FILE)" | socat $HAPROXY_SOCKET stdio** > >>* > >Can you run openssl ocsp w/out -noverify (and maybe -VAfile) ? > >So something like: > >/usr/bin/openssl ocsp -issuer $ROOT_CERT_FILE \ > > -cert $SERVER_CERT_FILE -url "$OCSP_URL" -no_nonce \ > > -header Host `echo "$OCSP_URL" | cut -d"/" -f3` -respout $OCSP_FILE \ > > [ -VAfile $ROOT_CERT_FILE [-validity_period 300] ] > > > >>Running the above script returns that all is OK and that ocsp > >>response was updated > >Do you get any messages about ocsp response if you reload haproxy/check > >configuration sometime after creating the ocsp response ? > >>*/etc/haproxy/certs/mycertificate.crt.pem: good** > >>** This Update: Apr 6 08:28:46 2015 GMT** > >>** Next Update: Apr 6 08:33:46 2015 GMT** > >>**OCSP Response updated!** > >Out of curiosity which CA issues responses for only 5min ? > > > >Haproxy defaults.h has: > >#define OCSP_MAX_RESPONSE_TIME_SKEW 300 > > > >In commit 4f3c87a5d942d4d0649c35805ff4e335970b87d4 there's: > >" Haproxy stops serving OCSP response if nextupdate date minus > > the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is > > in the past. > >" > > > >Your problem maybe be that the ocsp response is valid for 5min(300s) > >Quick check to test this could be to compile haproxy with > >different OCSP_MAX_RESPONSE_TIME_SKEW (< 300) ? > > > >-Jarno > > > > -- > Vassilis Tzimourtos > > -- Jarno Huuskonen
