Does OSCP stapling involve calls to the cert authority API?

Cylindric · May 4, 2017, 4:20pm

On my passive Caddy node, I’m seeing lots of OCSP errors, I guess because it can’t validate due to no pingback route. Are constantly-failing OCSP updates going to harm my API rate limit?

2017/05/04 14:42:00 [INFO][cgt.bz] acme: Obtaining bundled SAN certificate
2017/05/04 14:42:01 [INFO][cgt.bz] acme: Could not find solver for: dns-01
2017/05/04 14:42:01 [INFO][cgt.bz] acme: Trying to solve TLS-SNI-01

Also, Caddy is constantly trying to staple certificates that I have supplied, is there any way of stopping that?

2017/05/04 14:42:03 [WARNING] Stapling OCSP: no OCSP stapling for [*.mydomain.co.uk mydomain.co.uk]: ocsp: error from server: unauthorized
2017/05/04 14:42:03 [INFO] Successfully loaded TLS assets from /opt/caddy/ssl/static/mydomain.co.uk.pem and /opt/caddy/ssl/static/mydomain.co.uk.key

matt · May 4, 2017, 4:36pm

Caddy staples OCSP to every certificate that has the OCSPServer field set. OCSP is checked every hour.

Are you using Let’s Encrypt certs (that you’ve supplied)? What’s your certificates’ OCSP servers?

Cylindric · May 5, 2017, 9:29am

So the certificate I’m currently testing out is the one from our main site at https://www.communigator.co.uk/

I can’t see any OCSPServer field on it, but my CaddyServer still seems to be attempting to staple it.

2017/05/04 11:31:15 [WARNING] Stapling OCSP: no OCSP stapling for [*.communigator.co.uk communigator.co.uk]: ocsp: error from server: unauthorized

It says there is no stapling, but also that there was a specific “unauthorized” error from some unspecified server. I can’t tell which it is.

matt · May 5, 2017, 2:58pm

Your certificate has an OCSP responder configured:

For some reason your CA’s responder is returning “unauthorized” for your cert.

Cylindric · May 5, 2017, 3:00pm

Aah, I didn’t spot that, thanks. I’m still finding out about OCSP I’ll have to find out why that’s failing. Maybe it’s something they can resolve.

Cylindric · May 5, 2017, 4:02pm

They say it is expected behaviour on their website, now I just need to find out why ours can’t be validated, even if it does have the value set.

From the Symantec KB:

Symantec:

2.2.3. OCSPResponseStatus Values

As long as the OCSP infrastructure has authoritative records for a
particular certificate, an OCSPResponseStatus of “successful” will be
returned. When access to authoritative records for a particular
certificate is not available, the responder MUST return an
OCSPResponseStatus of “unauthorized”. As such, this profile extends
the RFC 2560 [OCSP] definition of “unauthorized” as follows:
  The response "unauthorized" is returned in cases where the client
  is not authorized to make this query to this server or the server
  is not capable of responding authoritatively.
For example, OCSP responders that do not have access to authoritative
records for a requested certificate, such as those that generate and
distribute OCSP responses in advance and thus do not have the ability
to properly respond with a signed “successful” yet “unknown”
response, will respond with an OCSPResponseStatus of “unauthorized”.
Also, in order to ensure the database of revocation information does
not grow unbounded over time, the responder MAY remove the status
records of expired certificates. Requests from clients for
certificates whose record has been removed will result in an
OCSPResponseStatus of “unauthorized”.

system · August 3, 2017, 4:12pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.