OCSP stapling for intermediate certificate?

Wed, 11 Aug 2021 08:44:14 -0700 

Hi,

I’m trying to get OCSP stapling to work on haproxy 2.2.9 and I’m out of my
depth. I’ve set up a test installation with a Let’s Encrypt certificate,
concatenated key and full chain to build a bundle and generated the OCSP
file using https://github.com/pierky/haproxy-ocsp-stapling-updater.git. I’ve
“ssl-load-extra-files all” in my global stanza. The Qualys SSL checker says
my configuration works (i.e. complete chain) and I can verify that OCSP
stapling works by looking at the detail listing on webpagetest.org. So far,
so good.

Now I took that setup to a bigger site that runs several domains on a single
frontend and webpagetest.org shows me that there’s an OCSP request taking
place. I’ve decoded the URI that’s being requested and it’s asking to verify
the intermediate certificate of the site that I’m checking. 

The one difference I can see is in Authority Information Access fields:

Let’s Encrypt:

        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root
X1
        Validity
            Not Before: Sep  4 00:00:00 2020 GMT
            Not After : Sep 15 16:00:00 2025 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3

        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            X509v3 Authority Key Identifier: 
 
keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
            Authority Information Access: 
                CA Issuers - URI:http://x1.i.lencr.org/

Digicert:

        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com
<http://www.digicert.com> , CN = DigiCert High Assurance EV Root CA
        Validity
            Not Before: Oct 22 12:00:00 2013 GMT
            Not After : Oct 22 12:00:00 2028 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com
<http://www.digicert.com> , CN = DigiCert SHA2 Extended Validation Server CA
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3D:D3:50:A5:D6:A0:AD:EE:F3:4A:60:0A:65:D3:21:D4:F8:F8:D6:0F
            X509v3 Authority Key Identifier: 
 
keyid:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com

Is there a problem with Digicert vs. Let’s Encrypt? Or do I have a problem
because I have multiple ssl crt entries on the problematic frontend?

TIA and best regards,
i.A. Thomas Bätzler
-- 
BRINGE Informationstechnik GmbH
Zur Seeplatte 12
D-76228 Karlsruhe
Germany

Fon: +49 721 94246-0
Fon: +49 171 5438457
Fax: +49 721 94246-66
Web: http://www.bringe.de/

Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe
Ust.Id: DE812936645, HRB 108943 Mannheim

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to