OCSP Validity

[sirsiwsh]

Hi! A superb effort, thanks for all your work!

Although I'm not a Ruby ninja I can work my way around. I've setup the responder and have it talking successfully to anyone who asks at the URL specified on any distributed certificate.

The thing I'm confused about is how the responder knows whether or not a cert is valid. I guess it has something to do with redis, but I don't know Ruby that well. The responder seems to recognise the certificates as coming from the CA, and seems to perform every action required, however the certificate response is unknown:

I, [2012-09-05T16:13:56.474794 #29590] INFO -- : POST Request: MGIwYDA+MDwwOjAJBgUrDgMCGgUABBRsvSsYToXwG+YWxPayk7G35B0RkgQUpTEPLJtN+3LfUwQnDs4fyhU+oDICAQKiHjAcMBoGCSsGAQUFBzABBAQNMAsGCSsGAQUFBzABAQ== I, [2012-09-05T16:13:56.481642 #29590] INFO -- : [An x509 SUBJECT /C=Mars/L=OuterMongolia, etc] found for issuer Exception Errno::EINPROGRESS at /etc/ocsp/../redis/connection/ruby.rb:113 - Operation now in progress - connect(2) would block Exception Errno::EAGAIN at /etc/ocsp/...ruby.rb:49 - Resource temporarily unavailable - read would block I, [2012-09-05T16:13:56.534462 #29590] INFO -- : POST Request For Serial(s): 2 Status: UNKNOWN UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 188.222.194.182 - - [05/Sep/2012 16:13:56] "POST / HTTP/1.1" 200 1996 0.0610

A quick redis restart later gives a few more errors: Exception Errno::ECONNRESET at /etc/ocsp/...ruby.rb:60 - Connection reset by peer Exception Redis::ConnectionError at /etc/ocsp/..client.rb:200 - Connection lost (ECONNRESET) Exception Errno::EINPROGRESS at /etc/ocsp/...ruby.rb:113 - Operation now in progress - connect(2) would block Exception Errno::EAGAIN at /etc/ocsp/.../ruby.rb:49 - Resource temporarily unavailable - read would block I, [2012-09-05T16:29:45.899352 #29590] INFO -- : POST Request For Serial(s): 9 Status: UNKNOWN UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 188.222.194.182 - - [05/Sep/2012 16:29:45] "POST / HTTP/1.1" 200 1996 0.0363 Exception WEBrick::HTTPStatus::EOFError' at /usr/local/rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/webrick/httpserver.rb:80 - WEBrick::HTTPStatus::EOFError

But I can connect to redis on the port specified (even though it is not visible from nmap): root@server:~# nc localhost 6379 [24234] 05 Sep 16:54:13 - Accepted 127.0.0.1:57674 [24234] 05 Sep 16:54:14 - DB 0: 6 keys (0 volatile) in 8 slots HT. [24234] 05 Sep 16:54:14 - 1 clients connected (0 slaves), 802136 bytes in use

I read here: http://blog.grayproductions.net/articles/setting_up_the_redis_server that I would have to install a gem for communication between redis and ruby, although that didn't help. Please, are you able to track this issue down? Everything really looks like it should be working, but I can't figure out the problem! I'd be very grateful, please let me know if you need any more information, thanks!

[reaperhulk]

This is one of the areas we haven't documented well yet so I can see why you're running into trouble.

The responder requires redis because it fetches validity data for certificates there. We designed it to be a fail closed system, so any cert it doesn't know about will result in an UNKNOWN response from the responder. To populate the redis DB you can use r509-validity-redis, which is a middleware gem designed for automatically writing to the validity DB after an issuance from r509-ca-http. I'm not sure if you want/need to run a full CA stack, so it may be easier for you to just look at how the validity gem writes to redis and use that to build your own solution.

For your specific problem, the OCSP responder assumes there's a local redis server and that it can connect to it over the default port. It looks like you've got that set up so I'm not sure why you're seeing the Resource temporarily unavailable - read would block errors. Could you give me a few more details on your setup? What version of Ruby are you running? What OS?

[sirsiwsh]

Hi! Thanks for the incredibly fast response!

So, I am running a full CA stack, but it's in pure openssl and I'd quite like it to stay that way, for my own reasons. I guess the r509-validity-redis gem works with the remainder of the r509 to form the ruby ca, so I'd have to write my own interface to redis from my script/s which generate the certs?

I can see the method to insert into redis [all of: "HMSET "cert:" status 0" ]- but the source code for r509-validity-redis says I need a cert and issuer. Also, I'd need to know the redis database r509-ocsp will be looking for- do you please have any idea what that might be?

I have to say that method seems a little messy- do you please know of a method (to save me trawling) that can load a valid the list from a CRL, for example, or directly from the index.txt file?

Thanks again!

[sirsiwsh]

Back to the issue at hand, here is what happen when I run:

rackup config.ru -d

`nil Exception LoadError at /etc/ocsp/ocspd/ruby/1.9.1/gems/rack-1.4.1/lib/rack/handler/thin.rb:1 - cannot load such file -- thin Exception LoadError at /etc/ocsp/ocspd/ruby/1.9.1/gems/rack-1.4.1/lib/rack/handler.rb:41 - cannot load such file -- thin

<Rack::ContentLength:0x00000002cdf0f8

@app=

<Rack::Chunked:0x00000002cdf120

@app=

<Rack::CommonLogger:0x00000002cdf148

 @app=
  #<Rack::ShowExceptions:0x0000000285f640
   @app=
    #<Rack::Lint:0x0000000285f668
     @app=R509::Ocsp::Responder::Server,
     @content_length=nil>,
   @template=
    #<ERB:0x0000000285f5f0
     @enc=#<Encoding:US-ASCII>,
     @filename=nil,
     @safe_level=nil,
     @src=
      "#coding:US-ASCII\n_erbout = ''; _erbout.concat \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 4.01 Transitional//EN\\\" \\\"http://www.w3.org/TR/html4/loose.dtd\\\">\\n<html lang=\\\"en\\\">\\n<head>\\n  <meta http-equiv=\\\"content-type\\\" content=\\\"text/html; charset=utf-8\\\" />\\n  <meta name=\\\"robots\\\" content=\\\"NONE,NOARCHIVE\\\" />\\n  <title>\"\n\n\n\n\n; _erbout.concat((h exception.class ).to_s); _erbout.concat... [continues in HTML]....`

_erbout.force_encoding(__ENCODING__)">>, @logger=#<IO:<STDERR>>>>> R509::Ocsp::Responder::Server [2012-09-05 18:48:43] INFO WEBrick 1.3.1 [2012-09-05 18:48:43] INFO ruby version [arch] [2012-09-05 18:48:43] INFO WEBrick::HTTPServer#start: [pid] [port]

Although it looks like a restart solved the problem:

I, [2012-09-05T18:53:12.469567 #29433] INFO -- : POST Request: [base_64] I, [2012-09-05T18:53:12.495125 #29433] INFO -- : [Some x509 Subject] found for issuer Exception Errno::EINPROGRESS at /etc/ocsp/.../ruby.rb:113 - Operation now in progress - connect(2) would block Exception Errno::EAGAIN at /etc/ocsp/../ruby.rb:49 - Resource temporarily unavailable - read would block I, [2012-09-05T18:53:12.617242 #29433] INFO -- : POST Request For Serial(s): 9 Status: UNKNOWN UserAgent: Mozilla/5.0 Gecko/20100101 Firefox/14.0.1 109.163.233.205 - - [05/Sep/2012 18:53:12] "POST / HTTP/1.1" 200 1996 0.5576 Exception WEBrick::HTTPStatus::EOFError at /usr/local/rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/webrick/httpserver.rb:80 - WEBrick::HTTPStatus::EOFError

meanwhile... [2517] 05 Sep 18:53:09 - 0 clients connected (0 slaves), 794296 bytes in use [2517] 05 Sep 18:53:12 - Accepted 127.0.0.1:55746 [2517] 05 Sep 18:53:14 - DB 0: 6 keys (0 volatile) in 8 slots HT. [2517] 05 Sep 18:53:14 - 1 clients connected (0 slaves), 802736 bytes in use

So, still unknown, but connected. And it's unknown because redis actually doesn't know about it.. guess I'll have to add it using redis-cli. Thanks for your help, I'll leave the post open in case you've got some great tips, but please feel free to close the issue!

[sirsiwsh]

Just a quick update... You can use the redis-cli to communicate directly to the local redis server. Side note: it really helps to be 100% sure of the serial of the certificate you need to add to redis- redis only stores the serial and a short form validity, make sure you keep it in sync with your CRL/index database. Then simply: redis-server You may need to authenticate. At the prompt redis 127.0.0.1:6379> HMSET "cert:XX" status 0 where XX is an integer (with a leading 0 if < 10) which is the same as your certificate serial. In openssl, you can check this by having a look at your index.txt file, located wherever your ca config (.cnf) is stored. The command above should give you OK Then, quit and reload your browser to get it to check again. This time your OCSP warning won't come up :)

Thanks!!!