Fix HAProxy Deploy Hook OCSP Update #2900
Conversation
fixes ocsp reponse update failing with `Responder Error: unauthorized (6)` by removing `-no_nonce` switch from `openssl oscp` command .
|
First, NEVER send a PR to Or some other wiki pages: |
lsb_release -d
Description: Ubuntu 18.04.4 LTS
acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.6
openssl version
OpenSSL 1.1.1 11 Sep 2018Debug output with openssl ocsp \
-issuer "/etc/haproxy/certs/example.com.pem.rsa.issuer" \
-cert "/etc/haproxy/certs/example.com.pem.rsa" \
-url "http://ocsp.int-x3.letsencrypt.org" \
-header Host="ocsp.int-x3.letsencrypt.org" \
-respout "/etc/haproxy/certs/example.com.pem.rsa.ocsp" \
-verify_other "/etc/haproxy/certs/example.com.pem.rsa.issuer" \
-no_nonce \
-text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 0318D8E8913F2AB3D8FD2DEBCCA2A1FD566B
Responder Error: unauthorized (6)Response without openssl ocsp \
-issuer "/etc/haproxy/certs/example.com.pem.rsa.issuer" \
-cert "/etc/haproxy/certs/example.com.pem.rsa" \
-url "http://ocsp.int-x3.letsencrypt.org" \
-header Host="ocsp.int-x3.letsencrypt.org" \
-respout "/etc/haproxy/certs/example.com.pem.rsa.ocsp" \
-verify_other "/etc/haproxy/certs/example.com.pem.rsa.issuer" \
-text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 0318D8E8913F2AB3D8FD2DEBCCA2A1FD566B
Request Extensions:
OCSP Nonce:
0410D4CB3514D27CA0B9491FDB7DB66DDE54
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: May 2 19:44:00 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 0318D8E8913F2AB3D8FD2DEBCCA2A1FD566B
Cert Status: good
This Update: May 2 19:00:00 2020 GMT
Next Update: May 9 19:00:00 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
90:79:c7:2f:dc:85:c0:30:8e:80:3a:55:77:8f:74:57:fb:3e:
b5:ca:97:57:42:b5:c3:7a:bb:a9:49:28:e7:6d:55:cf:15:01:
2c:a7:a7:b4:b6:01:aa:45:e0:a4:0d:ad:ce:93:d4:33:0f:a9:
62:78:d6:34:7e:d2:a6:e0:01:36:df:61:b2:12:4b:e1:bc:47:
85:97:1d:b3:e3:fb:ca:2e:03:65:ec:08:fb:4a:a7:e8:aa:a2:
96:3f:6a:4d:d3:d8:cc:85:f7:d0:f3:ea:7f:2a:a3:04:cc:00:
3d:13:e2:4d:b7:71:e7:8e:6e:64:a9:2e:14:11:a3:2a:f8:1c:
af:65:83:32:0b:84:24:59:62:65:18:e1:8d:ef:88:b8:c7:85:
48:5e:98:b3:4c:e1:46:9d:e6:7f:4d:2f:f7:12:f7:4e:88:77:
3a:58:9a:80:15:fb:9e:9e:07:7d:b5:e1:bd:66:6d:4f:a6:de:
a6:1a:41:37:8a:e4:67:1a:88:a0:80:72:62:ee:d3:a7:47:7f:
5b:ff:c0:89:f0:38:70:b9:15:69:21:dc:df:29:94:f3:04:db:
fa:4d:aa:8b:33:53:7c:09:5e:3e:22:59:b1:3a:7d:ca:cc:58:
cc:b9:71:50:73:e9:9c:1f:df:4c:a4:60:41:d6:bf:25:5b:d2:
8f:6f:c7:c8
WARNING: no nonce in response
Response verify OK
|
|
I did some more checking and OCSP updates for my previously issued certs, that also don't use OCSP Must Staple extension can be retrieved using either So it looks like this is either a recent change for all new certs or for new certs with OCSP Must Staple. Anyways since it works with nonce for both old and new certs this change should be safe to merge. |
|
I force renewed another cert without adding |
Fixes OCSP reponse update failing with
Responder Error: unauthorized (6)by removing-no_nonceswitch fromopenssl oscpcommand.It is likely that Let's encrypt allowed OCSP requests without nonce in the past, but currently only requests with nonce work, even after trying multiple times.
Tested with openssl-1.1.1-1ubuntu2.1~18.04.5 on Ubuntu Bionic server and acme.sh v2.8.6.