OxalisCommunity
Signature was not authorized by the OCSP Server
Hi!
On 2024/10/11 we started to have an issue with a receiving endpoint. I have found that the error happens during lookup and the error message is as the title says: Your signature was not authorized by the OCSP Server. The last transaction that was successful was the day before (2024/10/10)
This accesspoint is the only one that throws this error, and I'm not sure how to or even where to start looking for the error. Does anyone have some tips on how to solve this? We are running a bit old AP (4.1.0)
The stacktrace: ERROR Client CorrelationId d48438eb-bf33-497e-867d-33f9392e3a99: Exception while sending message. no.difi.oxalis.api.lang.OxalisTransmissionException: Your signature was not authorized by the OCSP Server. at no.difi.oxalis.outbound.lookup.CachedLookupService.lookup(CachedLookupService.java:73) at no.difi.oxalis.api.lookup.LookupService.lookup(LookupService.java:57) at no.difi.oxalis.outbound.transmission.TransmissionRequestBuilder.build(TransmissionRequestBuilder.java:208) at com.reknes.ap.bluegrass.oxalis.OxalisOutbound.send(OxalisOutbound.java:237) at com.reknes.ap.bluegrass.Client.messageReceived(Client.java:173) at com.reknes.ap.bluegrass.ovary.RabbitMqConsumer.fireMessage(RabbitMqConsumer.java:75) at com.reknes.ap.bluegrass.ovary.RabbitMqConsumer.handleDelivery(RabbitMqConsumer.java:33) at com.rabbitmq.client.impl.ConsumerDispatcher$5.run(ConsumerDispatcher.java:149) at com.rabbitmq.client.impl.ConsumerWorkService$WorkPoolRunnable.run(ConsumerWorkService.java:104) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: no.difi.vefa.peppol.security.lang.PeppolSecurityException: Your signature was not authorized by the OCSP Server. at no.difi.vefa.peppol.security.util.DifiCertificateValidator.validate(DifiCertificateValidator.java:64) at no.difi.oxalis.commons.mode.OxalisCertificateValidator.perform(OxalisCertificateValidator.java:48) at no.difi.oxalis.commons.mode.OxalisCertificateValidator.validate(OxalisCertificateValidator.java:33) at no.difi.vefa.peppol.lookup.LookupClient.getEndpoint(LookupClient.java:105) at no.difi.vefa.peppol.lookup.LookupClient.getEndpoint(LookupClient.java:115) at no.difi.oxalis.outbound.lookup.CachedLookupService.load(CachedLookupService.java:79) at no.difi.oxalis.outbound.lookup.CachedLookupService.load(CachedLookupService.java:46) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2045) at com.google.common.cache.LocalCache.get(LocalCache.java:3953) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3976) at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4960) at no.difi.oxalis.outbound.lookup.CachedLookupService.lookup(CachedLookupService.java:71)
You're seeing the message "Your signature was not authorized by the OCSP Server" because the OCSP response returned as "UNAUTHORIZED." Please verify certificate. Additionally, we recommend upgrading your Oxalis version to the latest release, which is 6.7.0. Currently, you are using version 4.1.0, released on September 18, 2019, which is nearly five years old. The version you are using is neither compliant with the OpenPeppol specification nor supported by the Oxalis community
I understand. I have talked to AP we’re trying to communicate with, they tell me that the ocsp url is an amazon ocsp-server. They use certificate from Amazon, we use Digicert. I’m not sure what certificate I need to verify, how, and why all the other AP works fine..
We are planing to remove our AP thats why the upgrade have not happend. Maybe we have to just upgrade and delay the removal.
AP certificate and Amazon certificate... Sorry Not getting it. OpenPeppol AP certificate are issued by Digicert and OCSP check happen at: pki-ocsp.symauth.com
Yes, I recommend upgrading to latest Oxalis version ASAP.
Sorry if I’m not the best to describe the issue. I’m a bit confused myself on what certificate throws the oscp error. Is it the peppol AP certificate? Or is it the SSL certificate on the sending AP or the receiving AP? I Can narrow the issue down a bit if I know where to start looking..
I have just gotten the oxalis AP code handed over to me without much documentation. Not so easy to find where to start.
What is the identifier you are sending to? Or it happens with all receivers?
By the stacktrace it looks like an issue with receiving endpoint certificate.
Try to check receiver number with https://peppol.helger.com/public/menuitem-tools-participant If it fails - the issue is with receiver.
In general, UNAUTHORIZED OCSP response is returned when you validate a certificate against wrong OCSP server. This can happen if you have wrong certificate chain. Peppol lookup uses peppol-security https://github.com/OxalisCommunity/vefa-peppol/blob/master/peppol-security/src/main/resources/pki/ for corresponding mode (PROD/TEST) to build certificate chain. Maybe your deployment is corrupted, or by some reason it detected TEST mode but you send to PROD endpoints or vice versa or receiving endpoint published TEST certificate to PROD SMP...
It is funny that google found by "Your signature was not authorized by the OCSP Server." only some Bolivian open source project https://gitlab.agetic.gob.bo/firmador_estatal/firmador-libreria/blob/develop/src/main/java/bo/gob/softwarelibre/firmadorestatal/firma/ocsp/OcspResponse.java#L44
@dladlk Thanks for adding bit more details and pointer where it can go wrong.
Regarding error message "Your signature was not authorized by the OCSP Server.", if you have narrow down search only within Oxalis repos, then you must have found it in https://github.com/OxalisCommunity/pkix-ocsp/blob/6820130842426917f6c4da02146c4444cf89e4aa/src/main/java/network/oxalis/pkix/ocsp/OcspResponse.java#L16 . Not to fully rely on google, when we have our own codebase supporting that :)
What is the identifier you are sending to? Or it happens with all receivers?
From the logs on our side all transactions to this AP failes. We send to lots of other AP without any issues. The 10. october everything was fine, on the 11. things started failing. I know we haven’t made any changes on our side.
Will check more tomorrow when I’m at work again
We are experiencing the same issues and it began 3.10.2024. Like @lOddifyr2, we haven't made any changes to our access point environment during this period. I have found this issue against just three accesspoints, but in the latest cases, there is now only one accesspoint left that we're experiencing these issues with.
Can you give an identifier of such receiver with which you experience the issue - so we can check what is specific at SMP response for it?
As a data point: We're running vanilla Oxalis 6.7.0 and have not seen this error. We've successfully sent a number of messages to the receiver mentioned in the previous comment, both before and after 3.10.2024
As far as I can see, it does not matter which Oxalis you use.
OCSP lookup just gives a serial number of the certificate in question to URL found in intermediate certificate of OCSP server, in case of Peppol PROD - it is http://pki-ocsp.symauth.com The certificate behind 0192:967354147 at the moment is "CN=PNO000069,OU=PEPPOL PRODUCTION AP,O=Zirius AS,C=NO" with serial number 1982651222214714653256608975004600879 / 0x017DD8409B36939FD846B8343BA78A2F - and by some reason OCSP server returns code 6 ( UNAUTHORIZED) to this serial number, although the certificate is ACTUALLY signed by this CA, so it looks like some issue in their database for this serial number...
I would suggest for Zirius to contact DigiCert asap and ask them to check why the above mentioned serial number is not authorized although you have it signed by them.
@dladlk When trying to send ehf to Zirius from Reknes or Uni Micro, which certificate is validated by OCSP? Sender certificate or Receiver AP certificate? What is the flow in oxalis, does it lookup recipient endpoint and then validates receiver peppol certificate using OCSP?
As an Access Point Provider, who earns money on this, you are expected to understand the standard flow of document exchange in Peppol. OCSP validation is not specific to Oxalis.
But in short - ANY certificate should be checked for revocation - either via CRL or via OCSP. Look at the stacktrace in the beginning of this issue - OCSP fails on lookup result validation.
Just write a simple code to validate the certificate of PNO00069 by yourself - and you will get the same error. Try to validate any other valid certificate - and you get no exception. Conclusion - something is wrong with that certificate at DigiCert.
Finally, check DigiCert status page - https://status.digicert.com/incidents/5l59dym75xw1 :
" We have identified an issue affecting a subset of OCSP responses. Our team is currently working to resolve the problem. The issue is presenting as erroneous unauthorized responses.
We appreciate your patience and will provide updates as soon as the issue is resolved. Posted 19 days ago. Oct 11, 2024 - 01:11 UTC "
I think it explains the case.
Please don't forget to post here results of the request to DigiCert.