Re: err with multiple TLS sites but one OCSP?
On Fri, Jan 27, 2017 at 09:53:25PM +, Bob Beck wrote: >On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas > Or a misconfiguration. ? show configs Configs follow. # cat /etc/httpd.conf include "/etc/sites/www3.conf" include "/etc/sites/www4.conf" www3.conf: server "www3.mwlucas.org" { listen on * port 80 block return 302 "https://$SERVER_NAME$REQUEST_URI"; } server "www3.mwlucas.org" { alias tarpit.mwlucas.org listen on * tls port 443 hsts # TLS certificate and key files created with acme-client(1) tls certificate "/etc/ssl/acme/www3/www3.fullchain.pem" tls key "/etc/ssl/acme/www3/www3.key" tls ocsp "/etc/ssl/acme/www3/www3.der" tcp nodelay location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } } www4: server "www4.mwlucas.org" { alias bill.mwlucas.org alias auction.mwlucas.org listen on * port 80 location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } block return 301 "https://$DOCUMENT_URI"; } server "www4.mwlucas.org" { alias bill.mwlucas.org alias auction.mwlucas.org root "/www4" listen on * tls port 443 hsts # TLS certificate and key files created with acme-client(1) tls certificate "/etc/ssl/acme/www4/www4.fullchain.pem" tls key "/etc/ssl/acme/www4/www4.key" # tls ocsp "/etc/ssl/acme/www4/www4.der" tcp nodelay location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } } -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
Re: err with multiple TLS sites but one OCSP?
On Fri, Jan 27, 2017 at 15:23 Stuart Henderson wrote: > On 2017/01/27 22:09, Bob Beck wrote: > > > I think you have more issues than ocsp. if thats the same host you can't > > > have two different tls certs on the same ip. and you have them both on > > > *443 > > > > > > try using a separate ip for each > > > > Wasn't SNI support added to httpd already? > > hmmm. right. but i bet itll work with explicit separate ip's. stapling on > the other hand will be per config. so thats probably whats fighting. > separate ip would confirm that. > im tired. ill look at it tomorrow unless someone else does > > >
Re: err with multiple TLS sites but one OCSP?
On 2017/01/27 22:09, Bob Beck wrote: > I think you have more issues than ocsp. if thats the same host you can't > have two different tls certs on the same ip. and you have them both on > *443 > > try using a separate ip for each Wasn't SNI support added to httpd already?
Re: err with multiple TLS sites but one OCSP?
I think you have more issues than ocsp. if thats the same host you can't have two different tls certs on the same ip. and you have them both on *443 try using a separate ip for each On Fri, Jan 27, 2017 at 15:03 Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at 09:53:25PM +, Bob Beck wrote: > > >On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas > > > Or a misconfiguration. Â show configs > > > > > > Configs follow. > > > > # cat /etc/httpd.conf > > include "/etc/sites/www3.conf" > > include "/etc/sites/www4.conf" > > > > www3.conf: > > > > server "www3.mwlucas.org" { > >listen on * port 80 > >block return 302 "https://$SERVER_NAME$REQUEST_URI"; > > } > > > > > > server "www3.mwlucas.org" { > > alias tarpit.mwlucas.org > > listen on * tls port 443 > > hsts > > # TLS certificate and key files created with acme-client(1) > > tls certificate "/etc/ssl/acme/www3/www3.fullchain.pem" > > tls key "/etc/ssl/acme/www3/www3.key" > > tls ocsp "/etc/ssl/acme/www3/www3.der" > > tcp nodelay > > > >location "/.well-known/acme-challenge/*" { > >root "/acme" > >root strip 2 > >} > > } > > > > > > www4: > > > > server "www4.mwlucas.org" { > > alias bill.mwlucas.org > > alias auction.mwlucas.org > > listen on * port 80 > > > >location "/.well-known/acme-challenge/*" { > >root "/acme" > >root strip 2 > >} > > > > > > block return 301 "https://$DOCUMENT_URI"; > > } > > > > server "www4.mwlucas.org" { > > alias bill.mwlucas.org > > alias auction.mwlucas.org > > root "/www4" > > listen on * tls port 443 > > hsts > > # TLS certificate and key files created with acme-client(1) > > tls certificate "/etc/ssl/acme/www4/www4.fullchain.pem" > > tls key "/etc/ssl/acme/www4/www4.key" > > # tls ocsp "/etc/ssl/acme/www4/www4.der" > > tcp nodelay > >location "/.well-known/acme-challenge/*" { > >root "/acme" > >root strip 2 > >} > > > > } > > > > > > > > > > -- > > Michael W. LucasTwitter @mwlauthor > > nonfiction: https://www.michaelwlucas.com/ > > fiction: https://www.michaelwarrenlucas.com/ > > blog: http://blather.michaelwlucas.com/ > >
Re: err with multiple TLS sites but one OCSP?
On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote: > > > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > > > > That looks like a web server bug, it shouldn't return a staple > > > Or a misconfiguration. show configs > > > > > in that case. What software are you using for that? > > > > > > > > > > > > OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from > > > ftp3.usa.openbsd.org. > > > > To be clear, that's a "How the hell could I forget to include that?" > > facepalm, not anything about Stuart asking the question... > > > > -- > > Michael W. LucasTwitter @mwlauthor > > nonfiction: https://www.michaelwlucas.com/ > > fiction: https://www.michaelwarrenlucas.com/ > > blog: http://blather.michaelwlucas.com/ > > > >
Re: err with multiple TLS sites but one OCSP?
On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > > That looks like a web server bug, it shouldn't return a staple > > in that case. What software are you using for that? > > > > OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from > ftp3.usa.openbsd.org. To be clear, that's a "How the hell could I forget to include that?" facepalm, not anything about Stuart asking the question... -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
Re: err with multiple TLS sites but one OCSP?
On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > That looks like a web server bug, it shouldn't return a staple > in that case. What software are you using for that? OpenBSD httpd, of course. amd64 snapshot downloaded yesterday from ftp3.usa.openbsd.org. ==ml -- Michael W. LucasTwitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
Re: err with multiple TLS sites but one OCSP?
On 2017/01/27 13:10, Michael W. Lucas wrote: > Hi, > > Not sure if this is an expected part of OCSP or a bug. > > I've configured two TLS sites on one host, one with OCSP stapling > (www3.mwlucas.org) and one without (www4.mwlucas.org). The OCSP site > works fine, but the non-OCSP site generates an err. > > It *appears* that queries to the non-OCSP site return the OCSP site's > OCSP cert. > > Following please find openssl queries on both. Feel free to check the > sites yourself, I'm FAR from a TLS guru. That looks like a web server bug, it shouldn't return a staple in that case. What software are you using for that? > # openssl s_client -connect www4.mwlucas.org:443 -status -servername > www4.mwlucas.org > ... > verify return:1 > OCSP response: > == > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > Produced At: Jan 26 23:02:00 2017 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 > Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578 > Cert Status: good > This Update: Jan 26 23:00:00 2017 GMT > Next Update: Feb 2 23:00:00 2017 GMT > > Signature Algorithm: sha256WithRSAEncryption > 6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74: > 9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d: > 67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1: > 06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55: > d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a: > f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df: > a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27: > d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47: > a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a: > 82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d: > 3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72: > 91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c: > 92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99: > 71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98: > 69:40:6f:46 > > > # openssl s_client -connect www3.mwlucas.org:443 -status -servername > www3.mwlucas.org > CONNECTED(0003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > verify return:1 > depth=0 CN = www3.mwlucas.org > verify return:1 > OCSP response: > == > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > Version: 1 (0x0) > Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > Produced At: Jan 26 23:02:00 2017 GMT > Responses: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D > Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 > Serial Number: 032CBDA721856F117CC7D57A72BBFA77B578 > Cert Status: good > This Update: Jan 26 23:00:00 2017 GMT > Next Update: Feb 2 23:00:00 2017 GMT > > Signature Algorithm: sha256WithRSAEncryption > 6a:1e:f1:44:8c:a9:a6:7e:40:25:3a:f7:50:e9:43:42:0f:74: > 9b:dc:ee:56:a3:47:0b:ce:73:88:ee:f0:84:fc:b0:25:5b:3d: > 67:d0:66:20:c7:60:7c:ee:26:91:72:4e:d0:f2:67:5a:e3:c1: > 06:57:31:47:29:1a:55:19:48:e7:e6:32:0b:18:d9:33:9d:55: > d7:36:38:f1:96:57:bc:5d:89:82:31:bb:4e:12:0c:5c:ab:1a: > f6:1d:a1:48:be:1c:1d:3b:52:a0:60:2f:1d:f9:3c:48:cd:df: > a6:5e:b5:79:0c:b9:ed:d5:61:29:53:ee:83:5f:89:af:35:27: > d6:94:05:f5:fb:d1:a8:4d:26:8d:8b:cf:e9:db:53:ad:e6:47: > a7:db:91:9e:9d:a1:b2:2c:1e:d9:98:c5:af:5c:12:d1:04:5a: > 82:be:8d:80:1f:38:c2:5d:b1:6f:99:e1:ca:53:71:1c:85:0d: > 3e:f3:14:bc:3b:c9:c0:dd:6b:ec:59:d4:54:dc:fb:9c:da:72: > 91:45:61:55:69:e9:75:51:8f:e2:82:6a:dd:ec:bc:bd:3c:2c: > 92:43:f7:d9:65:1d:60:14:91:e0:b0:2b:46:25:49:35:74:99: > 71:a3:c0:d0:91:66:29:7e:01:1b:35:f1:2e:40:dc:f3:4d:98: > 69:40:6f:46 > == > ... > > ==ml > > > -- > Michael W. LucasTwitter @mwlauthor > nonfiction: https://www.michaelwlucas.com/ > fiction: https://www.michaelwarrenlucas.com/ > blog: http://blather.michaelwlucas.com/ >