good news and bad news! good news first, Ive added all the correct certificates to the certificate chain, now the following command works ok:
openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert /home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/ca-bundle.crt -resp_text Response verify OK /home/oracle/lneves.pem: good great!!! now the bad news... using apache to make the same test, i now have this errors: [Fri Jul 16 16:02:27.399755 2010] [debug] [pid 21783] ssl_util_ocsp.c(79): [client 10.14.148.50:54752] connecting to OCSP responder 'ocsp.auc.cartaodecidadao.pt' [Fri Jul 16 16:02:27.614470 2010] [debug] [pid 21783] ssl_util_ocsp.c(105): [client 10.14.148.50:54752] sending request to OCSP responder [Fri Jul 16 16:02:28.566401 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Date: Fri, 16 Jul 2010 14:51:24 GMT [Fri Jul 16 16:02:28.566469 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Server: Apache [Fri Jul 16 16:02:28.566505 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 [Fri Jul 16 16:02:28.566542 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Expires: Fri, 16 Jul 2010 14:53:24 GMT [Fri Jul 16 16:02:28.566576 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Cache-Control: max-age=120 [Fri Jul 16 16:02:28.566617 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Content-Length: 2530 [Fri Jul 16 16:02:28.566643 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Connection: close [Fri Jul 16 16:02:28.566682 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Content-Type: application/ocsp-response [Fri Jul 16 16:02:28.566720 2010] [debug] [pid 21783] ssl_util_ocsp.c(252): [client 10.14.148.50:54752] OCSP response: got 1127 bytes, 1127 total [Fri Jul 16 16:02:28.569926 2010] [debug] [pid 21783] ssl_util_ocsp.c(252): [client 10.14.148.50:54752] OCSP response: got 1403 bytes, 2530 total [Fri Jul 16 16:02:28.569991 2010] [debug] [pid 21783] ssl_util_ocsp.c(235): [client 10.14.148.50:54752] OCSP response: got EOF [Fri Jul 16 16:02:28.578764 2010] [error] [pid 21783] SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted [Fri Jul 16 16:02:28.578810 2010] [error] [pid 21783] failed to verify the OCSP response [Fri Jul 16 16:02:28.578927 2010] [error] [pid 21783] [client 10.14.148.50:54752] Certificate Verification: Error (50): application verification failure [Fri Jul 16 16:02:28.579150 2010] [info] [pid 21783] [client 10.14.148.50:54752] SSL library error 1 in handshake (server beehive.cm-lisboa.net:443) [Fri Jul 16 16:02:28.579236 2010] [info] [pid 21783] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Fri Jul 16 16:02:28.579275 2010] [info] [pid 21783] [client 10.14.148.50:54752] Connection closed to child 1 with abortive shutdown (server beehive.cm-lisboa.net:443) besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder directive? Shouldnt the mod_ssl code discover automatically the responder address from the client certificate itself?? > Date: Fri, 16 Jul 2010 13:18:16 +0200 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: OCSP_basic_verify:certificate verify error (Verify > error:unable to get local issuer certificate) > > On Fri, Jul 16, 2010, Luis Neves wrote: > > > > > > > Ok, using your tip I confirmed that CA certificate is the CC0003.pem > > Ive include it at the end of ca-bundle.crt, pem encoded like the others on > > this file and used it as > > > > openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert > > /home/oracle/lneves.pem -url > > http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile > > /etc/pki/tls/certs/ca-bundle.crt -resp_text > > > > and still the same error. > > > > Your certificate chain needs to be complete. That is it has to include the > root CA (one with issuer and subject the same) and all intermediate > certificates of the responder certificate. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org _________________________________________________________________ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
