hi sergio,
test with selfsign if i create selfsign there is no problem, because no chain no ocsp_uri inside ther cert.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
:~$ openssl s_client -showcerts -connect localhorst.org:443
:~$ vim localhorst.org.crt
-----BEGIN CERTIFICATE-----
MIIGXTCCBUWgAwIBAgISBCNdJoHGg0NSqEXm0XRZadzOMA0GCSqGSIb3DQEBCwUA
[...]
aW0N0xphYg5wtFU6uggKYxYBVRoqhn0D264eEYOeQt9MmHy2cD2y3MfB7OE4xT12
xA==
-----END CERTIFICATE-----
:~$ openssl x509 -in localhorst.org.crt -noout -ocsp_uri
http://r3.o.lencr.org
the ocsp_uri is comming from the lets encryt CA.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
when i am using selfsign. i create it in that way
SERVER=own.localhorst.org
openssl genrsa -out $SERVER.nopasskey 4096
openssl req -new -key $SERVER.nopasskey -out $SERVER.csr
openssl x509 -req -days 365 -in $SERVER.csr -signkey $SERVER.nopasskey -out $SERVER.crt
:~$ openssl x509 -in own.localhorst.org.crt -noout -ocsp_uri
-> no outlay
:~$ openssl x509 -text -in own.localhorst.org.crt
Issuer: C = DE, ST = NRW, L = Cologne, O = localhorst, OU = localhorst, CN = own.localhorst.org
Subject: C = DE, ST = NRW, L = Cologne, O = localhorst, OU = localhorst, CN = own.localhorst.org
-> no chain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
:~# vim /etc/hosts
127.0.0.1 proxy.localhorst.org
127.0.0.2 own.localhorst.org
:~# sh /usr/share/doc/apache2/examples/setup-instance own
:~# sh /usr/share/doc/apache2/examples/setup-instance proxy
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
i create a https apache
:~$ vim /etc/apache2-own/sites-enabled/own.conf
ServerName own.localhorst.org
SSLEngine On
SSLCertificateFile /etc/apache2-own/ssl/own.localhorst.org.crt
SSLCertificateKeyFile /etc/apache2-own/ssl/own.localhorst.org.nopasskey
DocumentRoot /var/www/html-own
DirectoryIndex index.html
Options -Indexes
AllowOverride None
Require all granted
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/own_error.log
CustomLog ${APACHE_LOG_DIR}/own_access.log combined
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
- - - - - - - - - - - - - - - - - - - - - - - - -
:~# mkdir /var/www/html-own
:~# vim /var/www/html-own/index.html
own
:~# curl -k https://own.localhorst.org
own
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
and a proxy apache
:~# vim /etc/apache2-proxy/sites-enabled/000-default.conf
ServerName proxy.localhorst.org
ProxyPreserveHost Off
ProxyRequests Off
SSLProxyEngine On
SSLProxyVerify require
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLProxyVerifyDepth 0
SSLProxyCACertificateFile /etc/apache2-own/ssl/own.localhorst.org.crt
SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
SSLProxyProtocol -all +TLSv1.2
ProxyPass / https://own.localhorst.org/
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common
:~# curl http://proxy.localhorst.org
own
conclusion so far with self sign no ocsp entry and no chain there is no
problem.
-------------------------------------------------------------------------
i tryed out a easy way with entrys in
:~# vim /etc/ssl/openssl.cnf
[...]
authorityInfoAccess=OCSP;URI:http://r3.o.lencr.org/
[...]
on severall "places" to get a ocsp_uri inside the self sign cert created like above.
but with no luck.
to create a complete rootCA with working ocsp responder no idea so far.
regard horst