I've got a bug with the OpenCA-OCSP Responder.
I'm working with Debian. The OpenSSL OCSP responder (included in the toolkit) is working as well but this is only a testing version and I want a highly stable solution.
My problem is that the daemon returns me an error when it received a request:
[EMAIL PROTECTED]:~/Stage$ openssl ocsp -issuer ca.crt -CAfile ca.crt -cert
webmail-signed-cert.pem -url http://ocsp.microgate.fr:80 -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: E31CA253AF4B08B1A02A5A0A7520445A6B7610A7
Issuer Key Hash: 265524D3A20827963909C74AB9D8112EFCC6D65B
Serial Number: 03
Request Extensions:
OCSP Nonce:
0410C244CB64A059EBBA2488D2B94F5FCF58
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = FR, ST = Indre-et-Loire, L = Tours, O = Resgate Security
Department, CN = ocsp.microgate.fr, emailAddress = [EMAIL PROTECTED]
Produced At: May 25 15:45:21 2005 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: E31CA253AF4B08B1A02A5A0A7520445A6B7610A7
Issuer Key Hash: 265524D3A20827963909C74AB9D8112EFCC6D65B
Serial Number: 03
Cert Status: good
This Update: May 25 14:34:57 2005 GMT
Next Update: May 25 15:50:21 2005 GMT
Response Extensions:
OCSP Nonce:
0410C244CB64A059EBBA2488D2B94F5FCF58
Response Verify Failure
11565:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not
found:ocsp_vfy.c:85:
webmail-signed-cert.pem: good
This Update: May 25 14:34:57 2005 GMT
Next Update: May 25 15:50:21 2005 GMT
here are my files :
------------------------------------------------------------------------------------------------------------------------------------------------------------
authority:/# l /var/certificats/ocsp/
total 16
-rwxr-x--- 1 root daemon 1078 2005-05-02 13:02 ocsp.csr
-rwxr-x--- 1 root daemon 1679 2005-05-02 13:02 ocsp.key
-rwxr-x--- 1 root daemon 5454 2005-05-02 14:06 ocsp.pem
authority:/# l /var/certificats/ca/
total 33-rwxr-x--- 1 root daemon 1679 2005-05-02 13:00 ca.key
-rwxr-x--- 1 root daemon 1830 2005-05-02 13:00 ca.pem
-rwxr-x--- 1 root daemon 1206 2005-05-20 16:52 index.txt
drwxr-x--- 2 root daemon 480 2005-05-20 16:52 newcerts
-rwxr-x--- 1 root daemon 3 2005-05-20 16:52 serial
authority:/# l /var/certificats/ocspd/
total 24
drwxr-sr-x 2 root staff 4096 2005-05-25 15:24 certs
-rw-r--r-- 1 root staff 8220 2005-05-25 17:16 ocspd.conf
-rwxrwx--- 1 root daemon 5 2005-05-25 17:45 ocspd.pid
drwxr-sr-x 2 root staff 4096 2005-05-25 15:24 private
------------------------------------------------------------------------------------------------------------------------------------------------------------and I'm running the daemon with this command:
------------------------------------------------------------------------------------------------------------------------------------------------------------
authority:/# ocspd -d -v -c /var/certificats/ocspd/ocspd.conf
=================================SYSLOG========================================
May 25 17:47:29 authority ocspd[30427]: OpenCA OCSPD v1.0.3 - starting.
May 25 17:47:29 authority ocspd[30427]: Using configuration from
/var/certificats/ocspd/ocspd.conf
May 25 17:47:29 authority ocspd[30427]: section set to OCSPD_default
May 25 17:47:29 authority ocspd[30427]: reading certificate file
(/var/certificats/ocsp/ocsp.pem).
May 25 17:47:29 authority ocspd[30427]: Reading Private Key file
/var/certificats/ocsp/ocsp.key
May 25 17:47:29 authority ocspd[30427]: reading CA certificate file.
May 25 17:47:29 authority ocspd[30427]: OCSP Daemon setup completed
May 25 17:47:29 authority ocspd[30427]: Auto CRL reload every 600 secs
May 25 17:47:29 authority ocspd[30427]: Reload on expired CRLs enabled
May 25 17:47:29 authority ocspd[30427]: Number of CAs in configuration is 1
May 25 17:47:29 authority ocspd[30427]: CA CERT for first_ca loaded
successfully.
May 25 17:47:29 authority ocspd[30427]: CA List Entry added (CA list num 0)
May 25 17:47:29 authority ocspd[30427]: CRL loaded [ first_ca ]
May 25 17:47:29 authority ocspd[30427]: CRL and CA cert [0:1] check ok
May 25 17:47:29 authority ocspd[30427]: CRL matching CA cert ok [ 1 ]
May 25 17:47:29 authority ocspd[30427]: 1 CRL Entries [ first_ca ]
May 25 17:47:29 authority ocspd[30427]: CRL loaded successfully [first_ca]
May 25 17:47:29 authority ocspd[30427]: variable lookup failed for
ocsp_response::ocsp_add_response_certs
May 25 17:47:29 authority ocspd[30427]: CRL validity check every 600 sec.
May 25 17:47:29 authority ocspd[30427]: Configuration loaded and parsed
May 25 17:47:29 authority ocspd[21389]: Successfully binded to *:80
May 25 17:47:29 authority ocspd[21389]: Pre-Spawning 3 processes (live 0)
May 25 17:47:29 authority ocspd[21389]: Add Child to List child [42]
May 25 17:47:29 authority ocspd[21389]: Add Child to List child [26265]
May 25 17:47:29 authority ocspd[21389]: Add Child to List child [24939]
May 25 17:47:29 authority ocspd[21389]: server.c:747 Active Childrens [ 3 ]
======================END=====OF======SYSLOG===================================
------------------------------------------------------------------------------------------------------------------------------------------------------------
My ocspd.conf is available here. Obviously, I verified
the path of my
files.
Can you help me ? I don't understand why it doesn't want to work......
Best regards
------------------------------------------------------------------
J. VEHENT
[EMAIL PROTECTED]
------------------------------------------------------------------
Microgate | 02.47.66.95.01 | www.microgate.fr
binPtS96X99BJ.bin
Description: Clef publique PGP
