Cylindric
(Mark Hanford)
May 4, 2017, 4:20pm
1
On my passive Caddy node, I’m seeing lots of OCSP errors, I guess because it can’t validate due to no pingback route. Are constantly-failing OCSP updates going to harm my API rate limit?
2017/05/04 14:42:00 [INFO][cgt.bz] acme: Obtaining bundled SAN certificate
2017/05/04 14:42:01 [INFO][cgt.bz] acme: Could not find solver for: dns-01
2017/05/04 14:42:01 [INFO][cgt.bz] acme: Trying to solve TLS-SNI-01
Also, Caddy is constantly trying to staple certificates that I have supplied, is there any way of stopping that?
2017/05/04 14:42:03 [WARNING] Stapling OCSP: no OCSP stapling for [*.mydomain.co.uk mydomain.co.uk]: ocsp: error from server: unauthorized
2017/05/04 14:42:03 [INFO] Successfully loaded TLS assets from /opt/caddy/ssl/static/mydomain.co.uk.pem and /opt/caddy/ssl/static/mydomain.co.uk.key
matt
(Matt Holt)
May 4, 2017, 4:36pm
2
Caddy staples OCSP to every certificate that has the OCSPServer
field set. OCSP is checked every hour.
Are you using Let’s Encrypt certs (that you’ve supplied)? What’s your certificates’ OCSP servers?
Cylindric
(Mark Hanford)
May 5, 2017, 9:29am
3
So the certificate I’m currently testing out is the one from our main site at https://www.communigator.co.uk/
I can’t see any OCSPServer
field on it, but my CaddyServer still seems to be attempting to staple it.
2017/05/04 11:31:15 [WARNING] Stapling OCSP: no OCSP stapling for [*.communigator.co.uk communigator.co.uk]: ocsp: error from server: unauthorized
It says there is no stapling, but also that there was a specific “unauthorized” error from some unspecified server. I can’t tell which it is.
matt
(Matt Holt)
May 5, 2017, 2:58pm
4
Your certificate has an OCSP responder configured:
For some reason your CA’s responder is returning “unauthorized” for your cert.
Cylindric
(Mark Hanford)
May 5, 2017, 3:00pm
5
Aah, I didn’t spot that, thanks. I’m still finding out about OCSP I’ll have to find out why that’s failing. Maybe it’s something they can resolve.
Cylindric
(Mark Hanford)
May 5, 2017, 4:02pm
6
They say it is expected behaviour on their website, now I just need to find out why ours can’t be validated, even if it does have the value set.
From the Symantec KB :
2.2.3. OCSPResponseStatus Values
As long as the OCSP infrastructure has authoritative records for a
particular certificate, an OCSPResponseStatus of “successful” will be
returned. When access to authoritative records for a particular
certificate is not available, the responder MUST return an
OCSPResponseStatus of “unauthorized”. As such, this profile extends
the RFC 2560 [OCSP] definition of “unauthorized” as follows:
The response "unauthorized" is returned in cases where the client
is not authorized to make this query to this server or the server
is not capable of responding authoritatively.
For example, OCSP responders that do not have access to authoritative
records for a requested certificate, such as those that generate and
distribute OCSP responses in advance and thus do not have the ability
to properly respond with a signed “successful” yet “unknown”
response, will respond with an OCSPResponseStatus of “unauthorized”.
Also, in order to ensure the database of revocation information does
not grow unbounded over time, the responder MAY remove the status
records of expired certificates. Requests from clients for
certificates whose record has been removed will result in an
OCSPResponseStatus of “unauthorized”.
system
(system)
Closed
August 3, 2017, 4:12pm
7
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.