View Issue Details

IDProjectCategoryView StatusLast Update
0000335Main CAcert Websitemiscpublic2013-11-20 22:23
ReporterSourcerer Assigned ToSourcerer  
PriorityimmediateSeverityblockReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000335: OCSP responds "unknown"
DescriptionThe OCSP Server at ocsp.cacert.org is currently broken, and delivers "unknown" to all queries. It should answer "good" or "revoked" instead.
I guess that some pathes have changed, or something like that.
Additional InformationI have setup the OCSPD at test1.cacert.at now, and configured it properly.
The configuration used there is attached.
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

2006-09-19 02:53

 

ocspd.conf (5,046 bytes)   
# OCSPd example configuration file.
# (c) 2001 by Massimiliano Pala - OpenCA Project.
# All rights reserved

[ ocspd ]
default_ocspd	= OCSPD_default		# The default ocspd section

####################################################################
[ OCSPD_default ]

dir		 = /chroot/etc/ocspd		# Where everything is kept
#db		 = $dir/index.txt		# database index file.
md	 	 = sha1

ca_certificate	  = $dir/certs/cacert.crt 	# The CA certificate
ocspd_certificate = $dir/certs/server.crt	# The OCSP server cert
ocspd_key	  = $dir/certs/server.key	# The OCSP server key
pidfile		  = $dir/ocspd.pid		# Main process pid


#server.crt server.key cacert.crt

# User and Group the server will run as. It is a good idea
# not having servers running as root: in case of errors in
# the code providing an 'illegal' access method for an attacker
# it is better not to give him additional advantages.
user			= root
group			= daemon

# Bind to a specific address. This option is useful if you need
# to listen only on one IP among the availables ones.
bind			= *

# Port where the server will listen for incoming requests.
port		 	= 2560

# Max size of accepted requests. Data connection will be closed
# in case this size will be reached.
max_req_size	 	= 8192
max_childs_num		= 1

# Auto Reload interval of CRL (if set to 0 or not present, to
# reload the CRL you'll need to send a SIGHUP (kill -1 <pid>)
# to the parent process (seconds)
crl_auto_reload = 3600

# Check CRL validity period. If this parameter is set to #n
# then the CRL is checked every #n secs and if the CRL's validity
# period is expired then all the responses will be set to
# 'unknown'.
# If 'crl_check_validity' is set to '0' or it is absent, all
# responses will be based on the loaded CRL, no matter if it
# is expired or not.
crl_check_validity = 600

# Reload CRL if the one loaded is expired. Set this parameter
# only if you are sure that the new CRL will be issued and put
# in the crl_url.
crl_reload_expired = yes

# Specifies the response section to load the server options
# from
response	= ocsp_response	

# It specifies the section to be used where options about where
# CRL and certificates are kept.
#
# Example section using LDAP for data retrival
# dbms		= dbms_ldap
#
# Example section using FILES for data retrival
dbms		= dbms_file

# Enables the ENGINE interface for the server. If set to off then
# no support for ENGINE is loaded. If set to anything but 'off' the
# value must correspond to a section in this configuration file.
# Currently only LunaCA3, LunaSA are directly supported. If you need
# support for other HSM write to the authors.
#
# IMPORTANT NOTE: in case of usage with engine support enabled, put
# the private key ID - look at the HSM documentation - into the
# 'ocspd_key' field above in this file
# engine = HSM

####################################################################
[ ocsp_response ]
dir		 	= /usr/local/ocspd/etc/ocspd

# It is possible to include additional certificates in given
# responses. Put all the certificates you want to include in
# the file pointed by 'ocsp_add_responses_certs', concatenated
# one after the other.
#
# Comment this option if you don't want to add certificates
# to responses.
#ocsp_add_response_certs	= $dir/certs/chain_certs.pem

# Set this option if you want to include the KeyID. If you are
# unsure about this setting, use 'yes'.
ocsp_add_response_keyid	= yes

# next_update_days and next_update_mins allows to specify in
# each response when new revocation data will be available.
# If the two options are both set to '0' the 'nextUpdate' field
# in the OCSP response will be left NULL indicating new data
# can be made available anytime (this is true if you are issuing
# new CRLs every time a revocation takes place)
next_update_days	= 0
next_update_mins	= 5


####################################################################
[ dbms_ldap ]

#0.ca = @ldap_ca_1

####################################################################
[ dbms_file ]

# We can have as many CAs supported as we want, each CRL will be
# loaded and stored upon server starting
0.ca = @first_ca
1.ca = @second_ca

####################################################################
[ first_ca ]

# You can have the CRL on a simple file in PEM format
#crl_url = file:////usr/local/ocspd/etc/ocspd/crls/crl_07.crl
crl_url = http://www.cacert.org/revoke.crl

# We need the CA certificate for every supported CRL
# ca_url  = file:////usr/local/ocspd/etc/ocspd/certs/1st_cacert.pem
#ca_url  = file:////usr/local/ocspd/etc/ocspd/certs/cacert.pem
ca_url = http://www.cacert.org/certs/root.crt

####################################################################
[ second_ca ]

# You can have the CRL on a simple file in PEM format
#crl_url = file:////usr/local/ocspd/etc/ocspd/crls/crl_01.crl
crl_url = http://www.cacert.org/class3-revoke.crl


# We need the CA certificate for every supported CRL
#ca_url  = file:////usr/local/ocspd/etc/ocspd/certs/2nd_cacert.pem
ca_url = http://www.cacert.org/certs/class3.crt

ocspd.conf (5,046 bytes)   

Sourcerer

2006-11-28 04:27

administrator   ~0000746

The update to the new version and the regular restarts have solved issue now.
It would be still interesting to see, whether the regular restarts are still needed now.

Issue History

Date Modified Username Field Change
2006-09-19 02:53 Sourcerer New Issue
2006-09-19 02:53 Sourcerer File Added: ocspd.conf
2006-09-19 19:45 Sourcerer Status new => needs work
2006-09-19 19:45 Sourcerer Assigned To => duane
2006-11-27 11:26 duane Assigned To duane => Sourcerer
2006-11-27 11:27 duane Status needs work => solved?
2006-11-27 11:27 duane Resolution open => fixed
2006-11-28 04:27 Sourcerer Status solved? => closed
2006-11-28 04:27 Sourcerer Note Added: 0000746
2013-01-14 20:31 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public