NiceRath
commented
1 year ago Greetings.
We too are having this issue.
In the openssl-ocsp manpage it says:
-host hostname:port, -path pathname If the -host option is present then the OCSP request is sent to the host hostname on port port. The -path option specifies the HTTP pathname to use or "/" by default. This is equivalent to specifying -url with scheme http:// and the given hostname, port, and pathname. -proxy [http[s]://][userinfo@]host[:port][/path] The HTTP(S) proxy server to use for reaching the OCSP server unless -no_proxy applies, see below. The proxy port defaults to 80 or 443 if the scheme is "https"; apart from that the optional "http://" or "https://" prefix is ignored, as well as any userinfo and path components. Defaults to the environment variable "http_proxy" if set, else "HTTP_PROXY" in case no TLS is used, otherwise "https_proxy" if set, else "HTTPS_PROXY"
But neither 'HTTP_PROXY' nor 'http_proxy' are respected.
It would be great if the script would check for those environmental-variables and update the 'ocsp_log' call if they are set.
- Rath
openssl ocsp does not honor http_proxy environment variable and there is no option to specify a proxy.
There is an easy way to use a http proxy though. A typical ocsp fetch command issued by dehydrated is this:
openssl ocsp -no_nonce -issuer /root/letsencrypt.sh/certs/www.example.com/chain.pem -verify_other /root/letsencrypt.sh/certs/www.example.com/chain.pem -cert /root/letsencrypt.sh/certs/www.example.com/cert.pem -respout /root/letsencrypt.sh/certs/www.example.com/ocsp-1631813042.der -url http://r3.o.lencr.org
You need to replace "-url http://r3.o.lencr.org" with "-host proxy.example.com:3128 -path http://r3.o.lencr.org".
As all the other programs used by dehydrated work fine with the http_proxy environment being set correctly, it would be good if dehydrated can modify the "openssl ocsp" call accordingly if the http_proxy variable is set.