From: Massimiliano P. <dir...@op...> - 2015-03-27 16:58:23
|
Hi Prune, have you tried to check the request and see what CAID is sent from your client ? It should not matter, but try to select SHA1 instead of SHA256 (really a shot in the dark.. ). Cheers, Max On 3/27/15 7:12 AM, prune wrote: > I expect everything is OK as I have in the logs: > > Mar 26 17:34:15 2015 GMT [701257] INFO: [pki_config.c:1030] [DEBUG] Loading file /opt/data/apps/ocspd-3.1.0/etc/ocspd/ca.d/mydomain.xml > Mar 26 17:34:15 2015 GMT [701257] INFO: [pki_config.c:1046] [DEBUG] Loaded /opt/data/apps/ocspd-3.1.0/etc/ocspd/ca.d/mydomain.xml file > Mar 26 17:34:15 2015 GMT [701257] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA256 > Mar 26 17:34:15 2015 GMT [701257] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA1 > Mar 26 17:34:15 2015 GMT [701257] INFO: [config.c:382] [DEBUG] Building CA List > Mar 26 17:34:15 2015 GMT [701257] INFO: [config.c:517] [DEBUG] Got CRL Url -> file:///opt/data/apps/ocspd-3.1.0/etc/ocspd/ca.d/mydomain.crl > Mar 26 17:34:15 2015 GMT [701257] INFO: [crl.c:166] [DEBUG] CRL signature is verified! > Mar 26 17:34:15 2015 GMT [701257] INFO: CRL matching CA cert ok [ 1 ] > Mar 26 17:34:15 2015 GMT [701257] INFO: [crl.c:243] [DEBUG] CRL::Verify 1 [OK=1] > Mar 26 17:34:15 2015 GMT [701257] INFO: INFO::CRL::1 Entries [ mydomain.com ] > Mar 26 17:34:15 2015 GMT [701257] INFO: Configuration loaded and parsed > > > On 27Mar, 2015, at 05:29, Martin Hecht <he...@hl...> wrote: > >> Hi Prune, >> >> Is the xml-configuration file (and if you use a path for the caCertUrl, >> also that file) readable for the ocspd user/group which you specify on >> the configure-comand line? I'm not sure if there are any messages when >> ocspd is unable to read these files or if it silently assumes the files >> were empty and simply ignores them. >> >> I am using an absolute path to the pem-formatted ca-certificate file and >> I had to add the ocspd user to the apache group, configure ocspd to run >> as ocspd:apache and make some directories group-readable. >> >> >> On 03/26/2015 05:17 PM, prune wrote: >>> Thanks for the answer. >>> I thing I figured out almost everything. Still, I can’t have the OSCP server to answer to any request. >>> >>> The debug + verbose logs show : >>> >>> Mar 9 18:13:04 bubinga ocspd[992488]: Connection from [127.0.0.1] >>> Mar 9 18:13:04 bubinga ocspd[992488]: Request for certificate serial 4101 >>> Mar 9 18:13:04 bubinga ocspd[992488]: request for non recognized CA [serial 4101] >>> >>> Whatever I do… >>> >>> I tried to add some debug in the code, and it seem my CA certificate (defined in the ca.d directory) can’t match anything… >>> The certificate I want to check have a Serial (4101 in hexa) and an issuer (the subject of the issuer in fact) >>> What could make the ocspd daemon thing my CA and my certificates does not march ? (the certificate is NOT revoked, so not in the cry file) >>> … >>> >>> I tried to detail everything here, but for now I’m still stuck at the same point. My boss is asking me to set a windows OCSPd responder now so some help would be GREATLY appreciated :) >>> >>> http://sourceforge.net/p/openca/mailman/openca-ocspd/thread/61C902F7-ADC9-4B06-8CFD-82934BADE2F5%40lecentre.net/#msg33574002 >>> >>> Many thanks for your time ! >>> >> > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > > > _______________________________________________ > Openca-ocspd mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openca-ocspd |