search

mathiasertl / django-ca

Django app providing a Certificate Authority
GNU General Public License v3.0
145 stars 43 forks source link

OCSP request for unknown cert received #126

Closed PIKACHUIM closed 8 months ago

PIKACHUIM commented 10 months ago

I have set several OCSP paths, but only the first OCSP service path can respond normally, while the others all return OCSP request for unknown cert receivedimage

Sincere thanks and looking forward to your reply!

mathiasertl commented 10 months ago

Hi @PIKACHUIM ,

Thanks for your report! I'll look into it right away.

But just to be sure: do you really have a need for this feature - if you configure CA_DEFAULT_HOSTNAME, there is no need to actually configure these - django-ca will provide fine default values.

In any case, can you also give me

kr, Mat

PIKACHUIM commented 10 months ago

Thank you for your patient reply!

For these reasons, I would like to use a custom OCSP service:

  1. I would like to customize the URL path for OCSP services
  2. I found that the URL path of OCSP set by default CA looks like this 
    ca/ issuer/<hex:serial>.der [name='issuer']
ca/ ocsp/<hex:serial>/cert/ [name='ocsp-cert-post']
ca/ ocsp/<hex:serial>/cert/<base64:data> [name='ocsp-cert-get']
ca/ ocsp/<hex:serial>/ca/ [name='ocsp-ca-post']
ca/ ocsp/<hex:serial>/ca/<base64:data> [name='ocsp-ca-get']
ca/ crl/<hex:serial>/ [name='crl']
ca/ crl/ca/<hex:serial>/ [name='ca-crl']

    I will use NGINX to reverse proxy each CA address, I don't know how to set it up. I need each different CA to have a dedicated OCSP URL.

Information provided: Python version: 3.12 Package version: Django==5.0.1, Django ca=1.27.0, Django object actions==4.2.0 CA Setup: Django app

By the way, what is the mechanism for OCSP to return certificate status judgment Our certification authority has the following structure: image

I imported all the certificates and manually set up three OCSP servers, but only the first OCSP returned Good, while the rest returned Unknown.

Thank you for your help. If you need any further information, I will provide it.

mathiasertl commented 10 months ago

Hi @PIKACHUIM,

I tried to reproduce the issue, but failed. From what I can tell, it works as it should. First, let me answer that question of yours:

By the way, what is the mechanism for OCSP to return certificate status judgment

The certificate has a revoked flag, if it is set, the certificate is considered revoked. You can set it using manage.py revoke or via the admin interface.

But to find the certificate (you get an unknown cert response) a few things need to fall into place. Hopefully by going through them one-by-one, you can find the issue:

So in your case I would check:

  1. Does the ca key in your configuration identify the correct CA?
  2. Do the imported certificates link to the correct CA?
  3. Are you really using the correct URL path for making requests?
  4. Since you mention an NGINX proxy, does the proxy work correctly, and does django-ca get the right request?

You can check point 2 easily with the manage.py list_certs --ca=<serial> command or in the admin interface.

kr, Mat

mathiasertl commented 10 months ago

When trying reproduce the issue, I initialized the project using dev.py init-demo (which also creates OCSP certs), then ran manage.py runserver, with the following configuration:

CA_OCSP_URLS = {
    "root": {
        "ca": "...",
        "responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
        "responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
        "expires": 3600,
    },
    "ed448": {
        "ca": "...",
        "expires": 3600,
        "responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
        "responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
    },
    "ed25519": {
        "ca": "...",
        "expires": 3600,
        "responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
        "responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
    },
}

I then ran the following OCSP requests using the openssl shell:

$ openssl ocsp -CAfile ca/files/root.pub -issuer ca/files/root.pub -cert ca/files/root-cert.pub -url http://localhost:8000/django_ca/ocsp/root/ -resp_text
...
Response verify OK
ca/files/root-cert.pub: good
        This Update: Jan 27 09:15:10 2024 GMT
        Next Update: Jan 27 10:15:10 2024 GMT
$ openssl ocsp -CAfile ca/files/ed448.pub -issuer ca/files/ed448.pub -cert ca/files/ed448-cert.pub -url http://localhost:8000/django_ca/ocsp/ed448/ -resp_text
...
Response verify OK
ca/files/ed448-cert.pub: good
        This Update: Jan 27 09:15:52 2024 GMT
        Next Update: Jan 27 10:15:52 2024 GMT
$ openssl ocsp -CAfile ca/files/ed25519.pub -issuer ca/files/ed25519.pub -cert ca/files/ed25519-cert.pub -url http://localhost:8000/django_ca/ocsp/ed25519/ -resp_text
...
Response verify OK
ca/files/ed25519-cert.pub: good
        This Update: Jan 27 09:16:12 2024 GMT
        Next Update: Jan 27 10:16:12 2024 GMT

If there is anything I might have missed here, or you want to share additional configuration, of course please let me know!

mathiasertl commented 10 months ago

PS: Please note that you're using absolute paths, this is deprecated, see documentation. I will actually remove deprecate support for this in 1.28.0.

PIKACHUIM commented 10 months ago

Thank you for your reply and detailed guidance.I will follow your method to find the problem. If there are any problems or results, I will reply to you. Thank you again for your detailed answer!

mathiasertl commented 8 months ago

closing this topic as there there is no further response. @PIKACHUIM , I hope django-ca is useful to you!

Please feel free to re-open this ticket or open a new one if you have any further questions!