1

I've managed to set up an IPsec connection between two (virtual) hosts in transport mode and now I want the server to validate the client's certificate with OCSP. In a third host, I've run an OCSP responder (openssl ocsp -port 80 ...). I can see how the server is able to reach the OCSP, send a query and get a reply, but finally the verification fails.

Here's what the logs say in the server (the IPsec responder):

charon: 01[CFG] checking certificate status of "C=ES, ST=Gipuzkoa, L=Donostia-San Sebastian, O=Tecnalia, CN=client@localhost"
charon: 01[CFG]   requesting ocsp status from 'http://ocsp.localhost' ...
charon: 01[CFG]   using trusted ca certificate "C=ES, ST=Gipuzkoa, L=Donostia-San Sebastian, O=Tecnalia, CN=Tecnalia Root CA"
charon: 01[CFG]   reached self-signed root ca with a path length of 0
charon: 01[CFG]   using trusted certificate "C=ES, ST=Gipuzkoa, L=Donostia-San Sebastian, O=Tecnalia, CN=ocsp.localhost"
charon: 01[CFG]   using certificate "C=ES, ST=Gipuzkoa, L=Donostia-San Sebastian, O=Tecnalia, CN=ocsp.localhost"
charon: 01[CFG] no issuer certificate found for "C=ES, ST=Gipuzkoa, L=Donostia-San Sebastian, O=Tecnalia, CN=ocsp.localhost"
charon: 01[CFG] ocsp response verification failed
charon: 01[CFG] ocsp check failed, fallback to crl

For convenience I've replicated the same certificate files in all the hosts (output trimmed):

/etc/ipsec.d# ls -lR

./cacerts:
total 4
-rw-r--r-- 1 root root 1367 Nov  2 09:53 ca.cert.pem

./certs:
total 8
-rw-r--r-- 1 root root 1432 Nov  2 09:53 client.cert.pem
-rw-r--r-- 1 root root 1700 Nov  2 09:53 localhost.cert.pem

./crls:
total 0

./ocspcerts:
total 4
-rw-r--r-- 1 root root 1379 Nov 10 09:32 ocsp.cert.pem

It is a very simple path where a CA (ca.cert.pem) signs all the certificates - the server certificate (localhost.cert.pem), the client one (client.cert.pem) and the one used by the OCSP responder (ocsp.cert.pem).

This is what I have in the server's ipsec.conf:

ca strongswan-ca
        cacert=ca.cert.pem
        ocspuri=http://ocsp.localhost
        auto=add

I think everything is around that nasty "no issuer certificate found" error, but so far can't tell why is that happening. If I query the OCSP responder with openssl it doesn't give any verification errors.

Ander Juaristi
  • 111
  • 2
  • You might have mixed up some of the certificates or keys. Are you absolutely sure the OCSP response is created by the certificate/key you think it is? – ecdsa Nov 10 '17 at 12:18

1 Answers1

0

Well, turns out that this

For convenience I've replicated the same certificate files in all the hosts

and this

If I query the OCSP responder with openssl it doesn't give any verification errors

were, well, false. At some point I messed up my keys and the OCSP cert/key were different in the OCSP server than in the other machines. So @ecdsa is totally right in their comment.

Everything's fine with my posted configuration and once I regenerated all the keys and certs again everything worked fine.

Ander Juaristi
  • 111
  • 2