-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCSP request for unknown cert received #126
Comments
Hi @PIKACHUIM , Thanks for your report! I'll look into it right away. But just to be sure: do you really have a need for this feature - if you configure CA_DEFAULT_HOSTNAME, there is no need to actually configure these - django-ca will provide fine default values. In any case, can you also give me
kr, Mat |
Hi @PIKACHUIM, I tried to reproduce the issue, but failed. From what I can tell, it works as it should. First, let me answer that question of yours:
The certificate has a But to find the certificate (you get an
So in your case I would check:
You can check point 2 easily with the kr, Mat |
When trying reproduce the issue, I initialized the project using CA_OCSP_URLS = {
"root": {
"ca": "...",
"responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
"responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
"expires": 3600,
},
"ed448": {
"ca": "...",
"expires": 3600,
"responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
"responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
},
"ed25519": {
"ca": "...",
"expires": 3600,
"responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
"responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
},
} I then ran the following OCSP requests using the $ openssl ocsp -CAfile ca/files/root.pub -issuer ca/files/root.pub -cert ca/files/root-cert.pub -url http://localhost:8000/django_ca/ocsp/root/ -resp_text
...
Response verify OK
ca/files/root-cert.pub: good
This Update: Jan 27 09:15:10 2024 GMT
Next Update: Jan 27 10:15:10 2024 GMT
$ openssl ocsp -CAfile ca/files/ed448.pub -issuer ca/files/ed448.pub -cert ca/files/ed448-cert.pub -url http://localhost:8000/django_ca/ocsp/ed448/ -resp_text
...
Response verify OK
ca/files/ed448-cert.pub: good
This Update: Jan 27 09:15:52 2024 GMT
Next Update: Jan 27 10:15:52 2024 GMT
$ openssl ocsp -CAfile ca/files/ed25519.pub -issuer ca/files/ed25519.pub -cert ca/files/ed25519-cert.pub -url http://localhost:8000/django_ca/ocsp/ed25519/ -resp_text
...
Response verify OK
ca/files/ed25519-cert.pub: good
This Update: Jan 27 09:16:12 2024 GMT
Next Update: Jan 27 10:16:12 2024 GMT If there is anything I might have missed here, or you want to share additional configuration, of course please let me know! |
PS: Please note that you're using absolute paths, this is deprecated, see documentation. I will actually remove deprecate support for this in 1.28.0. |
Thank you for your reply and detailed guidance.I will follow your method to find the problem. |
closing this topic as there there is no further response. @PIKACHUIM , I hope django-ca is useful to you! Please feel free to re-open this ticket or open a new one if you have any further questions! |
I have set several OCSP paths, but only the first OCSP service path can respond normally, while the others all return
![image](https://private-user-images.githubusercontent.com/40362270/297695682-818a4fdd-5dc5-413d-9cfa-f47c9d4e7c79.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkxODczODgsIm5iZiI6MTcxOTE4NzA4OCwicGF0aCI6Ii80MDM2MjI3MC8yOTc2OTU2ODItODE4YTRmZGQtNWRjNS00MTNkLTljZmEtZjQ3YzlkNGU3Yzc5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIzVDIzNTgwOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTI3MmVkYWE5NTQ3ZDdmMWU0Njk5ZmYwMzRjNmZlZmEwMTM3MTY4YzY0YjY3MWJhYzExMjhiZWIzZDcxNGNkODEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.6RcgT5Kn6ZS3z_c5TkX0poM5DVyBh3i8ZMnZfJURacU)
OCSP request for unknown cert received
:Sincere thanks and looking forward to your reply!
The text was updated successfully, but these errors were encountered: