Apache的OCSP装订错误(自我凭证)

y53ybaqx  于 2022-11-30  发布在  Apache
关注(0)|答案(1)|浏览(119)

在Apache中进行OCSP装订时,我的本地OCSP和本地证书颁发机构出现错误。我的网站可以通过https访问,没有任何问题(我已经将根添加到颁发机构),但apache返回一个错误:

[Fri Nov 25 19:03:09.049310 2022] [ssl:error] [pid 1001] AH01935: stapling_check_response: certificate ID not present in response!
[Fri Nov 25 19:03:09.049429 2022] [ssl:error] [pid 1001] AH01943: stapling_renew_response: error in retrieved response!

下面是openssl s_client的尝试:

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C17DC2EDAF9ABBD01FF2DC7FB5C7C2C4593047AF
    Produced At: Nov 25 18:03:09 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha256
      Issuer Name Hash: 5FE12EE96C3771B8F6FA83E828A2F69067078B850E3A19B608371119E9C6AFA1
      Issuer Key Hash: 1183E9B1BB88058B7A99ADD680EFB295805E61B62D9C98137B2E8B98665AD53A
      Serial Number: 221D839F050959811CE852B66C532FDE69B581DB
    Cert Status: good
    This Update: Nov 25 18:03:09 2022 GMT
    Next Update: Nov 26 10:03:09 2022 GMT

    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        9e:2c:7a:55:4a:f0:ab:dc:d2:93:96:45:01:97:cf:7b:d3:81:
        33:8e:0f:b9:06:d3:8c:18:c5:3b:5a:e7:a4:f2:3d:5d:2e:12:
        5c:10:17:ef:5c:03:d8:20:20:99:16:02:be:8c:48:97:73:57:
        16:fb:81:56:43:4f:6f:48:33:60:8b:92:e0:2f:21:de:54:84:
        0e:cf:8f:f0:67:51:39:b6:8f:47:6a:2f:6b:b9:d8:b8:fa:c4:
        3f:c6:6d:37:1d:48:11:19:07:84:15:d9:63:bb:5e:cb:53:ba:
        1f:85:44:3f:82:dc:2a:68:7d:e9:60:70:3f:3a:5e:b2:18:fe:
        d2:dc:07:22:e9:b0:0f:f2:f4:d9:69:53:98:21:3a:35:67:6f:
        45:f5:b1:39:1a:d7:19:48:c2:b3:ce:cd:97:0e:de:19:18:58:
        38:31:78:0f:a5:10:14:07:ac:c1:d1:0e:a7:c9:76:80:c6:58:
        eb:85:ee:fa:0f:4c:ec:6c:30:ec:69:5c:34:8e:88:1d:dc:c7:
        c6:a8:92:83:21:5e:d6:ee:de:9b:87:ac:6a:28:bc:b6:31:18:
        cf:00:6f:0f:8e:ba:a1:30:3b:24:64:fc:1a:98:aa:72:c9:76:
        f9:6e:10:18:86:09:79:58:6e:d7:4f:70:b8:db:33:a1:df:3d:
        d7:45:25:39
======================================
---
Certificate chain
 0 s:CN = sslvpn.local, C = FR, O = Internet Widgits Pty Ltd, OU = IT
   i:CN = SSL VPN Services, C = FR, O = SSL VPN
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 17 19:52:50 2022 GMT; NotAfter: Nov 17 19:52:50 2023 GMT
 1 s:CN = SSL VPN Services, C = FR, O = SSL VPN
   i:CN = SSL VPN Root, C = FR, O = SSL VPN Inc.
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 16 00:00:00 2022 GMT; NotAfter: Dec 31 23:59:59 2029 GMT
 2 s:CN = SSL VPN Root, C = FR, O = SSL VPN Inc.
   i:CN = SSL VPN Root, C = FR, O = SSL VPN Inc.
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 16 00:00:00 2022 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
---

证书如下:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            22:1d:83:9f:05:09:59:81:1c:e8:52:b6:6c:53:2f:de:69:b5:81:db
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = SSL VPN Services, C = FR, O = SSL VPN
        Validity
            Not Before: Nov 17 19:52:50 2022 GMT
            Not After : Nov 17 19:52:50 2023 GMT
        Subject: CN = sslvpn.local, C = FR, O = Internet Widgits Pty Ltd, OU = IT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:ec:15:24:d8:06:68:1a:f8:09:ae:90:3e:2a:
                    9b:e2:7d:35:ec:cd:c5:cf:5b:7d:e3:ac:76:35:08:
                    37:01:a2:56:14:e3:34:7d:69:38:c0:e6:6e:e7:ae:
                    72:bd:03:f7:68:6e:ae:e6:72:c2:bf:0d:88:ad:95:
                    de:97:50:51:15:50:de:08:99:e7:ea:10:a3:df:89:
                    f5:d4:34:81:3d:79:67:ae:39:69:4a:b7:f7:34:3a:
                    cc:f3:a4:05:84:fc:b9:61:94:8a:50:bf:09:70:8a:
                    99:c0:44:5f:b8:65:d5:f9:a6:69:00:94:39:b9:bc:
                    08:aa:a5:23:6f:31:6b:86:14:81:45:53:23:a4:78:
                    ec:23:c9:45:e8:95:55:7a:44:11:95:73:fc:45:27:
                    e5:49:0c:ff:c6:10:24:4b:1c:6a:b0:0d:82:3c:01:
                    da:98:de:82:ac:4b:2d:ee:6d:17:c1:ef:9b:cd:25:
                    b9:b7:71:50:92:e7:9e:aa:28:55:47:f7:a7:6f:ea:
                    b6:d3:37:96:89:af:f4:f2:18:f3:32:a5:88:be:12:
                    d1:24:08:99:40:e2:ac:31:49:d5:52:c5:3e:a9:38:
                    4e:21:d9:28:4b:ed:90:86:62:53:f3:04:d0:5c:f8:
                    37:82:9c:2e:d9:7c:02:a8:1b:b3:96:3e:27:c5:e7:
                    40:35
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                9B:FE:4D:F9:81:90:DF:52:AB:0A:53:66:45:AA:99:06:29:95:82:7F
            X509v3 Authority Key Identifier:
                C1:7D:C2:ED:AF:9A:BB:D0:1F:F2:DC:7F:B5:C7:C2:C4:59:30:47:AF
            X509v3 Subject Alternative Name:
                DNS:sslvpn.local, DNS:*sslvpn.local, email:*******
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            Authority Information Access:
                OCSP - URI:*******
            X509v3 Certificate Policies:
                Policy: Policy Qualifier CPS
                  CPS: *******
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        64:32:ed:c5:ca:6a:e8:2d:58:b7:7c:0e:0f:6b:f5:51:38:df:
        42:2c:c6:13:60:26:f6:ae:13:23:be:83:95:d7:ad:88:7c:38:
        dc:9f:01:61:e2:f3:5d:cf:16:b6:6e:9c:3e:76:07:ee:68:67:
        17:d7:83:d2:38:b3:df:3a:cd:bb:f6:34:fd:1b:85:11:bb:a4:
        06:97:a5:c0:60:81:f9:a1:40:67:70:e9:cb:d3:76:43:1c:10:
        b2:1a:7c:1a:5f:3d:48:5a:ee:88:8b:fc:62:fb:c9:f3:33:ef:
        bb:84:f3:14:aa:9d:4c:ac:52:d0:da:c8:48:1d:c8:8b:bb:34:
        cf:b9:41:28:95:21:ae:76:b2:42:5b:ed:89:fa:6c:3a:a2:8a:
        66:ad:af:2d:ae:f3:fa:6d:fb:2f:2d:56:75:d4:9e:b3:88:90:
        c2:4c:c2:cf:f5:b8:2d:75:45:22:6d:ed:6c:46:36:ad:a7:fa:
        dd:13:e5:b0:f0:c2:24:13:8b:08:ef:65:4b:82:08:62:a6:9b:
        06:e5:63:25:f0:2e:fc:87:9c:f7:8e:5a:42:6a:a6:99:90:c9:
        3d:06:be:c1:15:1d:92:b0:38:d7:0d:fe:68:43:41:f6:63:5c:
        62:9e:9a:0a:0f:68:f1:4a:bb:d4:3a:b2:50:2e:d1:5c:1c:54:
        51:46:df:70
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIUIh2DnwUJWYEc6FK2bFMv3mm1gdswDQYJKoZIhvcNAQEL
BQAwOjEZMBcGA1UEAwwQU1NMIFZQTiBTZXJ2aWNlczELMAkGA1UEBhMCRlIxEDAO
BgNVBAoMB1NTTCBWUE4wHhcNMjIxMTE3MTk1MjUwWhcNMjMxMTE3MTk1MjUwWjBU
MRUwEwYDVQQDDAxzc2x2cG4ubG9jYWwxCzAJBgNVBAYTAkZSMSEwHwYDVQQKDBhJ
bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAsMAklUMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsOwVJNgGaBr4Ca6QPiqb4n017M3Fz1t946x2
NQg3AaJWFOM0fWk4wOZu565yvQP3aG6u5nLCvw2IrZXel1BRFVDeCJnn6hCj34n1
1DSBPXlnrjlpSrf3NDrM86QFhPy5YZSKUL8JcIqZwERfuGXV+aZpAJQ5ubwIqqUj
bzFrhhSBRVMjpHjsI8lF6JVVekQRlXP8RSflSQz/xhAkSxxqsA2CPAHamN6CrEst
7m0Xwe+bzSW5t3FQkueeqihVR/enb+q20zeWia/08hjzMqWIvhLRJAiZQOKsMUnV
UsU+qThOIdkoS+2QhmJT8wTQXPg3gpwu2XwCqBuzlj4nxedANQIDAQABo4IBNjCC
ATIwHQYDVR0OBBYEFJv+TfmBkN9SqwpTZkWqmQYplYJ/MB8GA1UdIwQYMBaAFMF9
wu2vmrvQH/Lcf7XHwsRZMEevMD0GA1UdEQQ2MDSCDHNzbHZwbi5sb2NhbIINKnNz
bHZwbi5sb2NhbIEVY2VydHNAc2VjdXJlbXl2cG4uY29tMAwGA1UdEwEB/wQCMAAw
DgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMDcGCCsGAQUFBwEB
BCswKTAnBggrBgEFBQcwAYYbaHR0cDovL3NlY3VyZW15dnBuLmNvbS9vY3NwMEUG
A1UdIAQ+MDwwOgYIKwYBBQUHAgEwLjAsBggrBgEFBQcCARYgaHR0cDovL3NlY3Vy
ZW15dnBuLmNvbS9jZXJ0cy9jcHMwDQYJKoZIhvcNAQELBQADggEBAGQy7cXKaugt
WLd8Dg9r9VE430IsxhNgJvauEyO+g5XXrYh8ONyfAWHi813PFrZunD52B+5oZxfX
g9I4s986zbv2NP0bhRG7pAaXpcBggfmhQGdw6cvTdkMcELIafBpfPUha7oiL/GL7
yfMz77uE8xSqnUysUtDayEgdyIu7NM+5QSiVIa52skJb7Yn6bDqiimatry2u8/pt
+y8tVnXUnrOIkMJMws/1uC11RSJt7WxGNq2n+t0T5bDwwiQTiwjvZUuCCGKmmwbl
YyXwLvyHnPeOWkJqppmQyT0GvsEVHZKwONcN/mhDQfZjXGKemgoPaPFKu9Q6slAu
0VwcVFFG33A=
-----END CERTIFICATE-----

为什么apache返回此错误?

0md85ypi

0md85ypi1#

经过多次研究,我已经明白了这个问题。
在请求过程中,Apache和浏览器使用SHA-1散列来计算颁发者密钥散列和颁发者密钥名称,如下所示:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 467F6C7AF3946017DA85E1ACE9BA717A2CCEF939
          Issuer Key Hash: C17DC2EDAF9ABBD01FF2DC7FB5C7C2C4593047AF
          Serial Number: 094E315FA6ADB9BC3EA20564A7B22EE6EBAA55E0

这是由于RFC 5280。然而我的OCSP使用SHA-256进行散列,因此发行者名称散列和密钥散列是不同的。这对Firefox来说不是一个大问题,因为它没有检查这个,但Apache stapling正在检查发行者密钥散列,因此返回了一个错误。我的返回:

Certificate ID:
      Hash Algorithm: sha256

因此,您应该将算法从OCSP要求撷取到OCSP回应的计算机杂凑。不过,建议您使用SHA 256来计算私密密钥签章杂凑,因为SHA1被视为不安全。
更改哈希算法会删除Apache错误,装订工作正常。

相关问题