> Date: Thu, 15 Jul 2010 18:15:32 +0200
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: OCSP_basic_verify:certificate verify error (Verify error:unable
> to get local issuer certificate)
>
> On Thu, Jul 15, 2010, Luis Neves wrote:
>
> >
> > some progress:
> >
> > openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert
> > /home/oracle/lneves.pem -url
> > http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile
> > /etc/pki/tls/certs/CC0003.pem -resp_text
> >
> > using CC0003.pem instead of C0002.pem returns GOOD (will try to check why)
> >
> > but still returning the
> >
> > 11323:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
> > error:ocsp_vfy.c:122:Verify error:unable to get issuer certificate
> > /home/oracle/lneves.pem: good
> > This Update: Jul 15 15:29:50 2010 GMT
> >
> > error
> >
>
> For each certificate do this:
>
> openssl x509 -in cert.pem -subject -issuer -noout
>
> The subject of the one you pass to -issuer should match the issuer of the one
> you pass to cert. You need a root CA and the rest of the chain passed to
> -CApath.
>
Ok, using your tip I confirmed that CA certificate is the CC0003.pem
Ive include it at the end of ca-bundle.crt, pem encoded like the others on this
file and used it as
openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert
/home/oracle/lneves.pem -url
http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile
/etc/pki/tls/certs/ca-bundle.crt -resp_text
and still the same error.
if I try to make tests with Apache, the problem gets wrost
I get this on error_log
[Fri Jul 16 09:42:33.783916 2010] [debug] [pid 10145] ssl_util_ocsp.c(79):
[client 10.14.148.50:45551] connecting to OCSP responder
'ocsp.auc.cartaodecidadao.pt'
[Fri Jul 16 09:42:33.858348 2010] [debug] [pid 10145] ssl_util_ocsp.c(105):
[client 10.14.148.50:45551] sending request to OCSP responder
[Fri Jul 16 09:42:34.076188 2010] [debug] [pid 10145] ssl_util_ocsp.c(209):
[client 10.14.148.50:45551] OCSP response header: Date: Fri, 16 Jul 2010
08:31:30 GMT
[Fri Jul 16 09:42:34.076237 2010] [debug] [pid 10145] ssl_util_ocsp.c(209):
[client 10.14.148.50:45551] OCSP response header: Server: Apache
[Fri Jul 16 09:42:34.076264 2010] [debug] [pid 10145] ssl_util_ocsp.c(209):
[client 10.14.148.50:45551] OCSP response header: X-Powered-By: Servlet 2.4;
JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
[Fri Jul 16 09:42:34.076300 2010] [debug] [pid 10145] ssl_util_ocsp.c(209):
[client 10.14.148.50:45551] OCSP response header: Expires: Fri, 16 Jul 2010
08:33:30 GMT
[Fri Jul 16 09:42:34.076327 2010] [debug] [pid 10145] ssl_util_ocsp.c(209):
[client 10.14.148.50:45551] OCSP response header: Cache-Control: max-age=120
[Fri Jul 16 09:42:34.076365 2010] [debug] [pid 10145] ssl_util_ocsp.c(209):
[client 10.14.148.50:45551] OCSP response header: Content-Length: 2530
[Fri Jul 16 09:42:34.076404 2010] [debug] [pid 10145] ssl_util_ocsp.c(209):
[client 10.14.148.50:45551] OCSP response header: Connection: close
[Fri Jul 16 09:42:34.076442 2010] [debug] [pid 10145] ssl_util_ocsp.c(209):
[client 10.14.148.50:45551] OCSP response header: Content-Type:
application/ocsp-response
[Fri Jul 16 09:42:34.076490 2010] [debug] [pid 10145] ssl_util_ocsp.c(252):
[client 10.14.148.50:45551] OCSP response: got 2530 bytes, 2530 total
[Fri Jul 16 09:42:34.076606 2010] [debug] [pid 10145] ssl_util_ocsp.c(235):
[client 10.14.148.50:45551] OCSP response: got EOF
[Fri Jul 16 09:42:34.077905 2010] [error] [pid 10145] SSL Library Error:
error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error (Verify
error:unable to get local issuer certificate)
[Fri Jul 16 09:42:34.077980 2010] [error] [pid 10145] failed to verify the OCSP
response
[Fri Jul 16 09:42:34.078124 2010] [error] [pid 10145] [client
10.14.148.50:45551] Certificate Verification: Error (50): application
verification failure
[Fri Jul 16 09:42:34.078339 2010] [info] [pid 10145] [client
10.14.148.50:45551] SSL library error 1 in handshake (server
beehive.cm-lisboa.net:443)
[Fri Jul 16 09:42:34.078503 2010] [info] [pid 10145] SSL Library Error:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Fri Jul 16 09:42:34.078552 2010] [info] [pid 10145] [client
10.14.148.50:45551] Connection closed to child 1 with abortive shutdown (server
beehive.cm-lisboa.net:443)
and I cannot access my test page on the server.
By the way, I am using sef-signed certs on the test system beehive.cm-lisboa.net
and another problem:
If I dont specify the OCSP responder on httpd.conf I get this error on the
error_log
[Fri Jul 16 09:47:59.813771 2010] [debug] [pid 10312] ssl_engine_ocsp.c(78):
[client 10.14.148.50:43894] no OCSP responder specified in certificate and no
default configured
[Fri Jul 16 09:47:59.813866 2010] [error] [pid 10312] [client
10.14.148.50:43894] Certificate Verification: Error (50): application
verification failure
[Fri Jul 16 09:47:59.814090 2010] [info] [pid 10312] [client
10.14.148.50:43894] SSL library error 1 in handshake (server
beehive.cm-lisboa.net:443)
[Fri Jul 16 09:47:59.814210 2010] [info] [pid 10312] SSL Library Error:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Fri Jul 16 09:47:59.814247 2010] [info] [pid 10312] [client
10.14.148.50:43894] Connection closed to child 1 with abortive shutdown (server
beehive.cm-lisboa.net:443)
but if i check the lneves.pem (the client certificate) i see it on the result a
reference to it:
openssl x509 -in /home/oracle/lneves.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5f:d9:33:e0:f2:f9:5d:0f
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=PT, O=Cart\xC3\xA3o de Cidad\xC3\xA3o, OU=subECEstado, CN=EC
de Autentica\xC3\xA7\xC3\xA3o do Cart\xC3\xA3o de Cidad\xC3\xA3o 0003
Validity
Not Before: Nov 20 10:21:19 2009 GMT
Not After : Nov 20 00:00:00 2014 GMT
Subject: C=PT, O=Cart\xC3\xA3o de Cidad\xC3\xA3o,
OU=Autentica\xC3\xA7\xC3\xA3o do Cidad\xC3\xA3o, OU=Cidad\xC3\xA3o
Portugu\xC3\xAAs, SN=FIGUEIREDO CORREIA DAS NEVES, GN=LU\xC3\x8DS
MIGUEL/serialNumber=BI098289861, CN=LU\xC3\x8DS MIGUEL FIGUEIREDO CORREIA DAS
NEVES
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ca:57:9b:3c:7f:43:85:c8:56:de:e5:e3:cd:e7:
be:e3:ee:c0:ce:88:2d:26:fb:f9:8f:af:2f:2e:56:
ec:b9:9b:59:2f:3a:1d:a2:b2:3c:85:87:b0:f1:83:
82:8b:fd:0b:f8:f7:4b:e2:94:c6:24:5c:11:0a:86:
e0:c5:a6:db:17:1d:95:88:81:d1:25:96:4c:d7:2d:
34:6b:86:f7:99:17:39:9d:97:ad:74:b7:a9:55:fe:
e1:16:a7:c9:cf:9a:3b:00:9f:7c:87:2f:b2:26:4c:
4a:59:21:3e:0f:31:08:64:d2:8b:29:83:54:a3:dc:
1e:88:2e:e0:ea:dd:ee:25:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Agreement
X509v3 Subject Key Identifier:
CD:D2:D9:50:04:47:68:4F:5C:16:E4:AE:C4:C2:8A:B3:66:95:59:96
X509v3 Authority Key Identifier:
keyid:92:36:E1:7B:8D:82:49:F2:1B:14:26:F7:CB:87:7F:A6:5D:52:CD:A1
X509v3 Certificate Policies:
Policy: 2.16.620.1.1.1.2.20
CPS: http://www.scee.gov.pt/pcert
User Notice:
Explicit Text:
Policy: 2.16.620.1.1.1.2.4.2.0.7
CPS:
http://pki.cartaodecidadao.pt/publico/politicas/dpc/cc_sub-ec_cidadao_autenticacao_dpc.html
Policy: 2.16.620.1.1.1.2.4.2.0.1.1
CPS:
http://pki.cartaodecidadao.pt/publico/politicas/pc/cc_sub-ec_cidadao_autenticacao_pc.html
X509v3 CRL Distribution Points:
URI:http://pki.cartaodecidadao.pt/publico/lrc/cc_sub-ec_cidadao_autenticacao_crl0003_p0005.crl
2.5.29.46:
0h0f.d.b.`http://pki.cartaodecidadao.pt/publico/lrc/cc_sub-ec_cidadao_autenticacao_crl0003_delta_p0005.crl
Authority Information Access:
OCSP - URI:http://ocsp.auc.cartaodecidadao.pt/publico/ocsp
Netscape Cert Type:
SSL Client, S/MIME
2.5.29.9:
0.0...+.......1...19700327120000Z
So many problems.... sorry
Luis
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
