cfssl
cfssl copied to clipboard
Published
20 hours ago •
cloudflare
cloudflare
CFSSL: Cloudflare's PKI and TLS toolkit
Results
136
cfssl issues
Sort by
recently updated
recently updated
newest added
Certificate serial stored as Decimal instead of Hex
[{"_id":"6704b31734eadd79280d0fbe","body":"@cbroglie Something that you are aware of?","issue_id":1715009064895,"origin_id":457171258,"user_origin_id":271677,"create_time":1548330958,"update_time":1548330958,"id":1728361239652,"updated_at":"2024-10-08T04:20:39.652000Z","created_at":"2024-10-08T04:20:39.652000Z"},{"_id":"6704b31734eadd79280d0fbf","body":"You're correct that cfssl stores the serial number as decimal. Changing that while maintaining backwards compatibility would be difficult, but changing ocspserve to handle both decimal and hex input sounds reasonable. PRs are welcome.","issue_id":1715009064895,"origin_id":457970806,"user_origin_id":2257371,"create_time":1548637195,"update_time":1548637195,"id":1728361239657,"updated_at":"2024-10-08T04:20:39.657000Z","created_at":"2024-10-08T04:20:39.657000Z"},{"_id":"6704b31734eadd79280d0fc0","body":"Any specific reason to maintain backwards compatibility for ocspserve? I find it hard to imagine it ever worked correctly as its searching the certs incorrectly?\r\nWith regards to send a PR, unfortunately I don't understand golang at all. If it was Ruby or Python it would be a lot easier ;-)\r\n","issue_id":1715009064895,"origin_id":458051899,"user_origin_id":271677,"create_time":1548667269,"update_time":1548667269,"id":1728361239661,"updated_at":"2024-10-08T04:20:39.661000Z","created_at":"2024-10-08T04:20:39.661000Z"},{"_id":"6704b31734eadd79280d0fc1","body":"Since I'll need this OCSP functionality in the near future I thought I would look into this issue and work on a PR. However, I'm having a hard time reproducing this issue. I'm on macOS Mojave 10.14 with `openssl version` reporting `LibreSSL 2.6.4`.\r\n\r\nThis is how I first generate my certificate from CFSSL with [HTTPie](https:\/\/httpie.org\/):\r\n\r\n```sh\r\n$ echo '{\"request\":{\"CN\":\"Test\"}}' | \\\r\n http POST http:\/\/127.0.0.1:8888\/api\/v1\/cfssl\/newcert | \\\r\n jq .result.certificate | \\\r\n sed 's,\\\\n,\\n,g' > my-cert.pem\r\n```\r\n\r\nThen I produce a new OCSP dump for CFSSL:\r\n\r\n```sh\r\n$ cfssl ocsprefresh \\\r\n -db-config my-config.json \\\r\n -ca my-ca.pem \\\r\n -responder my-ca.pem \\\r\n -responder-key my-ca-key.pem\r\n```\r\n\r\n```sh\r\n$ cfssl ocspdump -db-config my-config.json > ocsp-responses\r\n```\r\n\r\n```sh\r\n$ cfssl ocspserve -address=0.0.0.0 -port=8889 -loglevel=0 -responses=ocsp-responses\r\n```\r\n\r\nNow I try to check my certificate towards the API:\r\n\r\n```sh\r\n$ openssl ocsp \\\r\n -no_nonce\r\n -text \\\r\n -issuer root-ca.pem \\\r\n -cert my-cert.pem \\\r\n -CAfile root-ca.pem \\\r\n -respout response.out \\\r\n -reqout request.out \\\r\n -url http:\/\/127.0.0.1:8889\r\n\r\nOCSP Request Data:\r\n Version: 1 (0x0)\r\n Requestor List:\r\n Certificate ID:\r\n Hash Algorithm: sha1\r\n Issuer Name Hash: C67A6BCE137782A7C759B091B881C6B7038111B4\r\n Issuer Key Hash: D9DDA678A8B7292A7C16033195A350C8AF6A8C95\r\n Serial Number: 2FF85295B184F7DC2D9E6B1FF3AB2E41C96BAC64\r\n[...]\r\n\/path\/to\/my-cert.pem: good\r\n This Update: Mar 27 08:00:00 2019 GMT\r\n Next Update: Mar 31 08:00:00 2019 GMT\r\n```\r\n\r\nSo obviously this worked just fine for me with `openssl`. Since I stored the request in `request.out` i tried to do the same test with HTTPie:\r\n\r\n```sh\r\n$ http http:\/\/127.0.0.1:8889\/\"$(cat request.out | base64)\"\r\nHTTP\/1.1 200 OK\r\nCache-Control: max-age=342249, public, no-transform, must-revalidate\r\nContent-Length: 707\r\nContent-Type: application\/ocsp-response\r\nDate: Wed, 27 Mar 2019 08:55:50 GMT\r\nEtag: \"B41133AA94018641D175E0A80B5F6EFDAB482275625A663B5DA392E7A73232F7\"\r\nExpires: Sun, 31 Mar 2019 08:00:00 UTC\r\nLast-Modified: Wed, 27 Mar 2019 08:00:00 UTC\r\n\r\n\r\n\r\n+-----------------------------------------+\r\n| NOTE: binary data not shown in terminal |\r\n+-----------------------------------------+\r\n```\r\n\r\nSo again, I get the expected response from CFSSL including the OCSP response in binary form back.\r\n\r\nIf I check what's actually in the request created by `openssl` it looks like this:\r\n\r\n```sh\r\n$ hexdump request.out\r\n0000000 30 55 30 53 30 51 30 4f 30 4d 30 09 06 05 2b 0e\r\n0000010 03 02 1a 05 00 04 14 c6 7a 6b ce 13 77 82 a7 c7\r\n0000020 59 b0 91 b8 81 c6 b7 03 81 11 b4 04 14 d9 dd a6\r\n0000030 78 a8 b7 29 2a 7c 16 03 31 95 a3 50 c8 af 6a 8c\r\n0000040 95 02 14 2f f8 52 95 b1 84 f7 dc 2d 9e 6b 1f f3\r\n0000050 ab 2e 41 c9 6b ac 64 \r\n0000057\r\n```\r\n\r\nAs seen in the fourth row the value of the serial is in fact an integer of length 14 (`02 14`). More details can be found with an [ASN.1 Decoder](https:\/\/lapo.it\/asn1js\/#MFUwUzBRME8wTTAJBgUrDgMCGgUABBTGemvOE3eCp8dZsJG4gca3A4ERtAQU2d2meKi3KSp8FgMxlaNQyK9qjJUCFC_4UpWxhPfcLZ5rH_OrLkHJa6xk) which helps describe the type of the sequence value.\r\n\r\nSo I did the same test with Go code to see if the request created would be different (ignoring all errors):\r\n\r\n```go\r\n\/\/ Construct an OCSP request from the *x509.Certificate\r\nrequest, _ := ocsp.CreateRequest(cert, issuing, nil)\r\n\r\n\/\/ Construct the URL with the base64 encoded request\r\nhttpResponse, _ := http.Get(\r\n fmt.Sprintf(\"http:\/\/127.0.0.1:8889\/%s\", base64.StdEncoding.EncodeToString(request)),\r\n)\r\n\r\n\/\/ Read response from body\r\nresponseBody, _ := ioutil.ReadAll(httpResponse.Body)\r\n\r\n\/\/ Parse OCSP response\r\nocspResponse, _ := ocsp.ParseResponse(responseBody, issuing)\r\n\r\n\/\/ ocspResponse.Status == ocsp.Good returns true\r\n```\r\n\r\nNot sure if I'm missing something here and I could of course create a PR to support serial number passed in HEX format but I don't see the need since neither of `openssl` and the Go library seems to produce that kind of request.\r\n\r\nIs this really still an issue? If so, how would I do to reproduce it?","issue_id":1715009064895,"origin_id":477056090,"user_origin_id":3248948,"create_time":1553678511,"update_time":1553684976,"id":1728361239665,"updated_at":"2024-10-08T04:20:39.664000Z","created_at":"2024-10-08T04:20:39.664000Z"},{"_id":"6704b31734eadd79280d0fc2","body":"@bombsimon seems you don't use the in exactly the same way I am.\r\nI use `cfssl ocspserve` with the database connection instead of the exported file. If you try it with that it should fail in the same way","issue_id":1715009064895,"origin_id":480265956,"user_origin_id":271677,"create_time":1554469127,"update_time":1554469127,"id":1728361239670,"updated_at":"2024-10-08T04:20:39.669000Z","created_at":"2024-10-08T04:20:39.669000Z"},{"_id":"6704b31734eadd79280d0fc3","body":"@electrical: I still have no issues with this, the underlying type is the same and since it parsed to a `*big.Int` in the request the `String()` method returns the same format as stored in the database. Remember that you still need to do the refresh since the `ocsp_responses` table isn't populated by default.\r\n\r\nRefreshing the OCSP data.\r\n\r\n```sh\r\n$ cfssl ocsprefresh \\\r\n -db-config my-config.json \\\r\n -ca my-ca.pem \\\r\n -responder my-ca.pem \\\r\n -responder-key my-ca-key.pem\r\n```\r\n\r\nStarting ocspserve with DB access instead of from file.\r\n\r\n```sh\r\n$ cfssl ocspserve \\\r\n -port 8889 \\\r\n -ca root-ca.pem \\\r\n -ca-key root-ca-key.pem \\\r\n -config my-config.json \\\r\n -db-config my-db-config.json \\\r\n -loglevel 0\r\n\r\n...\r\n2019\/04\/06 22:22:49 [INFO] Registering OCSP responder handler\r\n2019\/04\/06 22:22:49 [INFO] Now listening on 127.0.0.1:8889\r\n```\r\n\r\nPerform the OpenSSL request.\r\n\r\n```sh\r\n$ openssl ocsp \\\r\n -no_nonce \\\r\n -text \\\r\n -issuer root-ca.pem \\\r\n -cert my-cert.pem \\\r\n -CAfile root-ca.pem \\\r\n -respout response.out \\\r\n -reqout request.out \\\r\n -url http:\/\/127.0.0.1:8889\r\n```\r\n\r\nThis give me the same proper OCSP respoce with a `good` status and proper dates as posted above. I can also see in the ocspserve logs that the request was processed.\r\n\r\n```sh\r\n2019\/04\/06 22:37:38 [DEBUG] Received OCSP request: MFUwUzBRME8wTTAJBgUrDgMCGgUABBTGemvOE3eCp8dZsJG4gca3A4ERtAQU2d2meKi3KSp8FgMxlaNQyK9qjJUCFEvEGBo6A3wVq3kBk95i+YHTpcOu\r\n```\r\n\r\nUse the same request with HTTP.\r\n\r\n```sh\r\n$ http http:\/\/127.0.0.1:8889\/\"$(cat request.out | base64)\"\r\nHTTP\/1.1 200 OK\r\nCache-Control: max-age=343501, public, no-transform, must-revalidate\r\nContent-Length: 707\r\nContent-Type: application\/ocsp-response\r\nDate: Sat, 06 Apr 2019 20:34:58 GMT\r\nEtag: \"2FB278A1D5CF3CD7E6F4BEF90BEF1307E1626F07F2BC4C7E52608679EA08C96D\"\r\nExpires: Wed, 10 Apr 2019 20:00:00 UTC\r\nLast-Modified: Sat, 06 Apr 2019 20:00:00 UTC\r\n\r\n\r\n\r\n+-----------------------------------------+\r\n| NOTE: binary data not shown in terminal |\r\n+-----------------------------------------+\r\n```\r\n\r\nI could help debug and potentially implement required fixes if you provide me with a step-by-step guide of how to reproduce the issue since I'm unable to figure this out myself. ","issue_id":1715009064895,"origin_id":480536019,"user_origin_id":3248948,"create_time":1554583260,"update_time":1554583260,"id":1728361239674,"updated_at":"2024-10-08T04:20:39.673000Z","created_at":"2024-10-08T04:20:39.673000Z"},{"_id":"6704b31734eadd79280d0fc4","body":"@bombsimon I will pick this up this week and document all actions and results. Sorry I haven't had the time yet to respond.","issue_id":1715009064895,"origin_id":483666939,"user_origin_id":271677,"create_time":1555422531,"update_time":1555422531,"id":1728361239679,"updated_at":"2024-10-08T04:20:39.679000Z","created_at":"2024-10-08T04:20:39.679000Z"},{"_id":"6704b31734eadd79280d0fc5","body":"@bombsimon findings so far as i'm running into issues.\r\n\r\nRevoking the actual certificate requires the serial number to be the decimal version and the authority_key_id has to be the hex version but lower case and without the `:` in there.\r\nThere also seems to be no ability to do this remotely and has to be done locally on the cfssl instance ( which sort of defeats the purpose )\r\n\r\nNext when I try to do the `ocsprefresh` command I get the following error:\r\n```\r\n2019\/05\/01 16:13:12 [CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n{\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n```\r\n\r\nCommand: \r\n```\r\ncfssl ocsprefresh -db-config \/etc\/cfssl\/config\/db-config.json -ca \/etc\/cfssl\/certs\/our_intermediate_cert.pem -responder \/etc\/cfssl\/certs\/our_ocsp_cert.pem -responder-key \/etc\/cfssl\/certs\/our_ocsp_cert-key.pem\r\n```\r\n\r\nThe ocsp certificate was created\/signed with the intermediate cert, as are all our signed certs.\r\n\r\nAm I just missing something?","issue_id":1715009064895,"origin_id":488329161,"user_origin_id":271677,"create_time":1556727309,"update_time":1556727309,"id":1728361239683,"updated_at":"2024-10-08T04:20:39.683000Z","created_at":"2024-10-08T04:20:39.683000Z"},{"_id":"6704b31734eadd79280d0fc6","body":"@bombsimon a friendly ping in case you missed it :-)","issue_id":1715009064895,"origin_id":505895897,"user_origin_id":271677,"create_time":1561558697,"update_time":1561558697,"id":1728361239687,"updated_at":"2024-10-08T04:20:39.687000Z","created_at":"2024-10-08T04:20:39.687000Z"},{"_id":"6704b31734eadd79280d0fc7","body":"@electrical Sorry, I completely dropped this. As I understand it, this is what you're doing:\r\n\r\n* Create a certificate via API or CLI\r\n* Revoke said certificate\r\n * This is made by using the serial (lowercase hex without `:`) + aki\r\n * This cannot be made remotely\r\n* Perform `ocsprefresh` -> cannot sign OCSP response\r\n\r\nTo support case insensitive serials with or without `:` when revoking is probably an easy enhancement but not related to this issue. Afaik it's possible to revoke via the HTTP API but if not I can just confirm the issue, I'll try to see if I can do that. The fact that you cannot sign the OCSP response doesn't sound related to the way serials are stored at all though.\r\n\r\nIt shouldn't matter if you use a CA created by CFSSL, one you created yourself or if it's an intermediate cert like you are using. For testing purposes I'm using a CA certificate and key generated with [mkcert](https:\/\/github.com\/FiloSottile\/mkcert) for easy testing purposes.\r\n\r\nA question though, who signed `our_ocsp_cert.pem` you're using for the OCSP responses? Is it signed by your root CA or the intermediate certificate you're using for CFSSL? Did you sign it with or without CFSSL? Do you get the same result if you're using `our_intermediate_cert.pem` (and it's key) as responder?","issue_id":1715009064895,"origin_id":506250860,"user_origin_id":3248948,"create_time":1561624608,"update_time":1561624608,"id":1728361239694,"updated_at":"2024-10-08T04:20:39.693000Z","created_at":"2024-10-08T04:20:39.693000Z"},{"_id":"6704b31734eadd79280d0fc8","body":"@bombsimon no worries. I know we are all busy :-)\r\n\r\nthe `our_oscp_cert.pem` has been signed by our intermediate cert using CFSSL.\r\nI haven't tried to replace the ocsp certs with the intermediate cert. I'll give that a try.","issue_id":1715009064895,"origin_id":506297282,"user_origin_id":271677,"create_time":1561632742,"update_time":1561632742,"id":1728361239698,"updated_at":"2024-10-08T04:20:39.698000Z","created_at":"2024-10-08T04:20:39.698000Z"},{"_id":"6704b31734eadd79280d0fc9","body":"So here are some results for me following the steps I wrote about above.\r\n\r\n* Create a certificate via API and perform an OCSP request\r\n\r\n```sh\r\n$ openssl ocsp \\\r\n -no_nonce \\\r\n -text \\\r\n -issuer root-ca.pem \\\r\n -cert my-cert.pem \\\r\n -CAfile root-ca.pem \\\r\n -url http:\/\/127.0.0.1:8889 | grep 'my-cert'\r\n\r\nmy-cert.pem: good\r\n```\r\n\r\n* Revoke the certificate\r\n\r\nAs seen it's fully possible to revoke remotely with the HTTP API.\r\n\r\n```sh\r\n$ http POST http:\/\/127.0.0.1:8888\/api\/v1\/cfssl\/revoke \\\r\n serial=748095522558... \\\r\n authority_key_id=d9dda678a8... \\\r\n reason=keycompromise\r\n\r\nHTTP\/1.1 200 OK\r\nContent-Length: 55\r\nContent-Type: application\/json\r\nDate: Thu, 27 Jun 2019 11:57:21 GMT\r\n\r\n{\r\n \"errors\": [],\r\n \"messages\": [],\r\n \"result\": {},\r\n \"success\": true\r\n}\r\n```\r\n\r\n* Refreshing OCSP data (using root CA does not cause error `8100`):\r\n\r\n```sh\r\n$ cfssl ocsprefresh \\\r\n -db-config my-config.json \\\r\n -ca my-ca.pem \\\r\n -responder my-ca.pem \\\r\n -responder-key my-ca-key.pem\r\n```\r\n\r\n* Performing OCSP request once again after revocation and `ocsprefresh`\r\n\r\n```sh\r\n$ openssl ocsp \\\r\n -no_nonce \\\r\n -text \\\r\n -issuer root-ca.pem \\\r\n -cert my-cert.pem \\\r\n -CAfile root-ca.pem \\\r\n -url http:\/\/127.0.0.1:8889 | grep 'my-cert'\r\n\r\nmy-cert.pem: revoked\r\n```\r\n\r\nSo, regarding using a responder with a certificate issued by CFSSL. This is how I tried to reproduce your error.\r\n\r\n* Generate and store a new certificate and key issued by CFSSL\r\n\r\n```sh\r\n$ r=$( echo '{\"request\":{\"CN\":\"Test\"}}' | \\\r\n http POST http:\/\/127.0.0.1:8888\/api\/v1\/cfssl\/newcert); \\\r\n echo $r | jq .result.certificate | \\\r\n sed 's,\\\\n,\\n,g' | sed 's,\",,g'> my-ocsp-cert.pem; \\\r\n echo $r | jq .result.private_key | \\\r\n sed 's,\\\\n,\\n,g' | sed 's,\",,g'> my-ocsp-key.pem\r\n```\r\n\r\n* Perform `ocsprefresh` with these certificates\r\n\r\n```sh\r\n$ cfssl ocsprefresh \\\r\n -db-config my-config.json \\\r\n -ca my-ca.pem \\\r\n -responder my-ocsp-cert.pem \\\r\n -responder-key my-ocsp-key.pem && echo $?\r\n\r\n0\r\n```\r\n\r\n* Performing the OCSP request again after the refresh\r\n\r\n```sh\r\n$ openssl ocsp \\\r\n -no_nonce \\\r\n -text \\\r\n -issuer root-ca.pem \\\r\n -cert my-cert.pem \\\r\n -CAfile root-ca.pem \\\r\n -url http:\/\/127.0.0.1:8889 | grep 'my-cert'\r\n\r\nmy-cert.pem: revoked\r\n```\r\n\r\n---\r\n\r\nSo I don't think I'm able to help much more by trying to guess how to reproduce this and I see no problem with certificate serials, revocation APIs, certificate generation, OCSP requests, OCSP refreshing etcetera.","issue_id":1715009064895,"origin_id":506323851,"user_origin_id":3248948,"create_time":1561638267,"update_time":1561638267,"id":1728361239702,"updated_at":"2024-10-08T04:20:39.702000Z","created_at":"2024-10-08T04:20:39.702000Z"},{"_id":"6704b31734eadd79280d0fca","body":"I am also facing `8100 Certificate not issued by this issuer`. Documented my stapes here [#1105](https:\/\/github.com\/cloudflare\/cfssl\/issues\/1105)\r\nIf you could help.","issue_id":1715009064895,"origin_id":619438953,"user_origin_id":3375776,"create_time":1587847849,"update_time":1587847849,"id":1728361239708,"updated_at":"2024-10-08T04:20:39.707000Z","created_at":"2024-10-08T04:20:39.707000Z"},{"_id":"6704b31734eadd79280d0fcb","body":"I'm facing a similar issue.\r\n\r\nRight after having generated a certificate, I cannot verify it using openssl.\r\n\r\nHere is what I do:\r\n\r\n```\r\n# Generate a new certificate remotely:\r\ncfssl gencert -config client-config.json csr.json | cfssljson -bare my-cert\r\n\r\n# Check it:\r\nopenssl ocsp -no_nonce -text -issuer ca.crt -cert my-cert.pem -CAfile cert-bundle.crt -url http:\/\/my-server\/ocsp\/\r\n```\r\n\r\nThe output of the last command is:\r\n```\r\nOCSP Request Data:\r\n Version: 1 (0x0)\r\n Requestor List:\r\n Certificate ID:\r\n Hash Algorithm: sha1\r\n Issuer Name Hash: FAD74B83B4F73E06394E4829AC676CAE193997A4\r\n Issuer Key Hash: B50D61F06271BD42ED7C4FD1A7334C832B79A167\r\n Serial Number: 765E60D2836B98C3B610DB32AD24C5A11238EE8C\r\nResponder Error: unauthorized (6)\r\n```\r\n\r\nI've created my root and intermediate ca using another tool (neither mkcert, nor cfssl).\r\n\r\nI'm also using a reverse-proxy between the client and cfssl ocspserve server, that's why the URL ends with \/ocsp\/.\r\n\r\nSomehow I feel the issue could be linked to the way I have created the issuing certificate (ca.crt).\r\nIt lacks OCSP extension and maybe it's required.\r\n\r\n```\r\nopenssl x509 -in ca.crt -text\r\n[...]\r\n X509v3 extensions:\r\n X509v3 Key Usage: critical\r\n Certificate Sign, CRL Sign\r\n X509v3 Basic Constraints: critical\r\n CA:TRUE, pathlen:0\r\n X509v3 Subject Key Identifier:\r\n 38:2F:45:47:2D:1B:FE:57:73:10:46:55:DF:C0:EB:F9:AC:5E:65:10\r\n X509v3 Authority Key Identifier:\r\n keyid:3D:28:29:6D:C0:E5:9B:BF:88:EA:E8:84:A4:AF:D2:E4:77:16:7C:60\r\n[...]\r\n```\r\n\r\nI didn't even try to revoke it given that I cannot even check it when it isn't.\r\n\r\nEDIT:\r\nWhen generating OCSP response file:\r\n`cfssl ocspdump -db-config db-config.json -ca ca.crt -responder ocsp.crt -responder-key ocsp.key > ocsp.response`\r\nThen OCSP serve using the response file:\r\n`cfssl ocspserve -port=8890 -responses=ocsp.response`\r\nAnd checking against that, it works:\r\n```\r\nopenssl ocsp -no_nonce -issuer ca.crt -cert my-cert.pem -CAfile cert-bundle.crt -url http:\/\/127.0.0.1:8890\/\r\nResponse verify OK\r\nmy-cert.pem: good\r\n This Update: Jan 5 17:00:00 2021 GMT\r\n Next Update: Jan 9 17:00:00 2021 GMT\r\n```\r\nSo the problem now seem to come from the cfssl ocspserve with -db-config.\r\nFor the record, I'm using a postgres certdb.","issue_id":1715009064895,"origin_id":754770474,"user_origin_id":1587431,"create_time":1609866659,"update_time":1609868423,"id":1728361239713,"updated_at":"2024-10-08T04:20:39.713000Z","created_at":"2024-10-08T04:20:39.713000Z"},{"_id":"6704b31734eadd79280d0fcc","body":"@electrical :\r\nWere you able to get past this issue ? i.e. \r\n\r\n`[CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}`\r\n\r\nI am stuck at the same place. After revoking the certificate, when I try to ocsprefresh it fails with the same error. \r\n\r\n```\r\n2021\/11\/03 23:55:27 [CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n{\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n\r\n```\r\n\r\nI will be grateful, if you could share your approach. \r\n\r\nThanks, \r\nArpan","issue_id":1715009064895,"origin_id":960304736,"user_origin_id":7279241,"create_time":1635983964,"update_time":1635983964,"id":1728361239720,"updated_at":"2024-10-08T04:20:39.719000Z","created_at":"2024-10-08T04:20:39.719000Z"},{"_id":"6704b31734eadd79280d0fcd","body":"I spent quite a few hours to solve this. Tried a various permutation combinations and following two work for me. \r\n\r\nNoticing that many of us have faced this sharing the commands which worked for me for ocsprefresh.\r\n\r\n`cfssl ocsprefresh -db-config sqlite_db.json -ca server\/server.pem -responder server\/server.pem -responder-key server\/server-key.pem\r\n`\r\n\r\n`cfssl ocsprefresh -db-config sqlite_db.json -ca server\/server.pem -responder ocsp\/ocsp.pem -responder-key ocsp\/ocsp-key.pem`\r\n\r\n","issue_id":1715009064895,"origin_id":960313206,"user_origin_id":7279241,"create_time":1635985033,"update_time":1635985033,"id":1728361239724,"updated_at":"2024-10-08T04:20:39.723000Z","created_at":"2024-10-08T04:20:39.723000Z"},{"_id":"6704b31734eadd79280d0fce","body":"@superbob I have the same issue, I created the CA and Intermediate using Hashicorp Vault, and, the ocsp using database can't validate, the problem is with **issuerKeyHash**, in my case, that value is not equal to **AKI (Authority Key Identifier)**, If I use CA and Intermediate created by cfssl, it works like a charm, somehow, CA and Intermediate created by other tools (in my case with Vault) can't be used with database.\r\n\r\nHere my AKI is: e90f44315310efc1453503f561a70ff6df81f4f0\r\nBy the issuer key hash is: 25C5F53C318A1E590F627720215EBB484E153235","issue_id":1715009064895,"origin_id":2040989485,"user_origin_id":941051,"create_time":1712384757,"update_time":1712385196,"id":1728361239729,"updated_at":"2024-10-08T04:20:39.728000Z","created_at":"2024-10-08T04:20:39.728000Z"}]
When a certificate is created by cfssl it stores the serial number as a Decimal entry while the serial number is stored as hex in the cert it self. When...
Bumps [github.com/go-sql-driver/mysql](https://github.com/go-sql-driver/mysql) from 1.8.0 to 1.8.1. Release notes Sourced from github.com/go-sql-driver/mysql's releases. v1.8.1 What's Changed Bugfixes: fix race condition when context is canceled in #1562 and #1570 Full Changelog: https://github.com/go-sql-driver/mysql/compare/v1.8.0...v1.8.1...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
dependencies
go
undefined: strings.CutPrefix
[{"_id":"6704b302ad3c4128c70dca01","body":"anyone has answer for this issue? i did reinstall go 1.20 version","issue_id":1715009064905,"origin_id":2097211164,"user_origin_id":163991278,"create_time":1715045987,"update_time":1715045987,"id":1728361218691,"updated_at":"2024-10-08T04:20:18.690000Z","created_at":"2024-10-08T04:20:18.690000Z"},{"_id":"6704b302ad3c4128c70dca02","body":"The problem when i try to build an image of my app to extract some metric and this happend in build binary step\r\n\r\n\r\nSo i think in your Dockerfile you need to change to golang image version: \r\n\r\nand you may need to change your system go version to >= 1.20\r\n\r\nby doing:\r\nGo to this link: https:\/\/go.dev\/dl\/\r\nscroll down you will see: \r\n\r\nclick on that, scroll down to 1.20\r\n\r\n- cd Downloads\r\n- sudo tar -C \/usr\/local -xzf go1.20.linux-amd64.tar.gz\r\n- vim .zshrc\r\n-and add this line to .zshrc: - export PATH=$PATH:\/usr\/local\/go\/bin\r\n\r\n- source .zshrc\r\n- go version\r\n! After that you may need to restart vscode or computer so the vs can re detect the new go version\r\n\r\n\r\nand then i can build the image\r\n\r\n\r\n\r\n\r\n\r\n","issue_id":1715009064905,"origin_id":2097388902,"user_origin_id":163991278,"create_time":1715053377,"update_time":1715053377,"id":1728361218695,"updated_at":"2024-10-08T04:20:18.695000Z","created_at":"2024-10-08T04:20:18.695000Z"},{"_id":"6704b302ad3c4128c70dca03","body":"you may dont need to change the go system version, only need to change 1 line in Dockerfile to 1.20","issue_id":1715009064905,"origin_id":2097389833,"user_origin_id":163991278,"create_time":1715053461,"update_time":1715053461,"id":1728361218697,"updated_at":"2024-10-08T04:20:18.697000Z","created_at":"2024-10-08T04:20:18.697000Z"}]
When I executed the install command an error was returned, but my go version was greater than the required 1.18. - Installation command ` go install github.com/cloudflare/cfssl/cmd/...@latest` - Error message...
Fix: https://github.com/cloudflare/cfssl/issues/1064 ## Motivation Today, I attempted to use cfssl to generate my certificate and key, with a validity period of 5 minutes, and then setup that to my program,...
Name Constraints
[{"_id":"6704b3620f8c2fd64b01c27e","body":"It's definitely possible to do this, but I'm pretty sure not directly through cfssl, since the Go x509 APIs do not support NameConstraints AFAICT. You would need to re-sign the CA certificate using OpenSSL.\r\n\r\nYou should also be aware that browsers differ on whether they honor NameConstraints in a trust anchor. I believe most of them only honor NameConstraints in an intermediate. So, to generate your own trust chain that is truly name constrained, you would need to generate a self-signed root, sign a name constrained intermediate, then delete the root key, import the self-signed root into the relevant trust stores, and do all your signing with the intermediate. Disadvantage: all relying parties have to simply trust that you really did delete the private key corresponding to the unconstrained root.","issue_id":1715009064926,"origin_id":282522275,"user_origin_id":220205,"create_time":1488067871,"update_time":1488067871,"id":1728361314342,"updated_at":"2024-10-08T04:21:54.342000Z","created_at":"2024-10-08T04:21:54.342000Z"},{"_id":"6704b3620f8c2fd64b01c27f","body":"As per [this test](https:\/\/security.stackexchange.com\/questions\/31376\/can-i-restrict-a-certification-authority-to-signing-certain-domains-only\/31382#31382), most clients actually do honour it in trust root (except, apparently, many on MacOS).\r\n\r\nAlso even if it only works on intermediates, that is an important use-case too (e.g. project- or department-specific intermediates restricted to appropriate subdomain).","issue_id":1715009064926,"origin_id":492583760,"user_origin_id":2624197,"create_time":1557913323,"update_time":1557913344,"id":1728361314346,"updated_at":"2024-10-08T04:21:54.345000Z","created_at":"2024-10-08T04:21:54.345000Z"},{"_id":"6704b3620f8c2fd64b01c280","body":"Support for name constraints was added to the x509 package https:\/\/golang.org\/pkg\/crypto\/x509\/#Certificate.PermittedDNSDomains","issue_id":1715009064926,"origin_id":534497027,"user_origin_id":192200,"create_time":1569320987,"update_time":1569320987,"id":1728361314350,"updated_at":"2024-10-08T04:21:54.349000Z","created_at":"2024-10-08T04:21:54.349000Z"},{"_id":"6704b3620f8c2fd64b01c281","body":"Is there any news on if and how to use name constraints with cfssl?","issue_id":1715009064926,"origin_id":815599291,"user_origin_id":77054638,"create_time":1617873420,"update_time":1617873420,"id":1728361314354,"updated_at":"2024-10-08T04:21:54.354000Z","created_at":"2024-10-08T04:21:54.354000Z"},{"_id":"6704b3620f8c2fd64b01c282","body":"+1 Wanting to move away from using the openssl CLI to manage my pki and this is the only real roadblock I've ran into.\r\n\r\n@reg0bs There's a PR by @rpoisel #1247 which seems complete albeit old. Maybe @nickysemenza could have a look?","issue_id":1715009064926,"origin_id":1985599585,"user_origin_id":97894002,"create_time":1709900481,"update_time":1709900481,"id":1728361314359,"updated_at":"2024-10-08T04:21:54.358000Z","created_at":"2024-10-08T04:21:54.358000Z"},{"_id":"6704b3620f8c2fd64b01c283","body":"I am researching tools for generating internal CA for my homelab and was quite surprised CFSSL does not support the [Name Constraints](https:\/\/www.rfc-editor.org\/rfc\/rfc5280#section-4.2.1.10) yet. Are there any plans for this feature?","issue_id":1715009064926,"origin_id":2158917325,"user_origin_id":25065143,"create_time":1718040295,"update_time":1718040295,"id":1728361314364,"updated_at":"2024-10-08T04:21:54.363000Z","created_at":"2024-10-08T04:21:54.363000Z"}]
I can't seem to find anywhere an example of setting X509 name constraints on a CA cert. Is it possible to do this?
Is there an option to enable HSTS on the cfssl serve command ? Strict-Transport-Security (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) HTTP response header Kind regards
Error when using multirootca with sqlite db
[{"_id":"6704b34feedbdc0cb30c25e7","body":"> Hi,\r\n> \r\n> I'm using multicrootca with the sqlite backend. With the lastest release 1.6.4 on Debian amd64 I'm getting this error:\r\n> \r\n> `\"Binary was compiled with 'CGO_ENABLED=0', go-sqlite3 requires cgo to work. This is a stub\"`\r\n> \r\n> The issue seems to be related to [c383f2a](https:\/\/github.com\/cloudflare\/cfssl\/commit\/c383f2add921c88a23f39d292a8336900bea5e44) and appears to be mentioned here: [#1259 (comment)](https:\/\/github.com\/cloudflare\/cfssl\/pull\/1259#issuecomment-1330946563)\r\n> \r\n> Would it be possible to look into that?\r\n> \r\n> Thanks!\r\n\r\nDitto.","issue_id":1715009064939,"origin_id":1909970285,"user_origin_id":10137,"create_time":1706182138,"update_time":1706182138,"id":1728361295095,"updated_at":"2024-10-08T04:21:35.095000Z","created_at":"2024-10-08T04:21:35.095000Z"}]
Hi, I'm using multicrootca with the sqlite backend. With the lastest release 1.6.4 on Debian amd64 I'm getting this error: `"Binary was compiled with 'CGO_ENABLED=0', go-sqlite3 requires cgo to work....
the CA cert's SAN extensions not include DNSName.
[{"_id":"6704b362eedbdc0cb30c25e8","body":"Similar issue here, I can't find the `X509v3 Subject Alternative Name` section in my certificate \r\n\r\n\r\n`ca-config.json`\r\n```\r\n{\r\n \"signing\": {\r\n \"default\": {\r\n \"expiry\": \"87600h\"\r\n },\r\n \"profiles\": {\r\n \"kubernetes\": {\r\n \"expiry\": \"87600h\",\r\n \"usages\": [\r\n \"digital signature\",\r\n \"key encipherment\",\r\n \"cert sign\"\r\n ]\r\n }\r\n }\r\n }\r\n}\r\n```\r\n\r\n`ca-csr.json`\r\n```\r\n{\r\n \"CN\": \"TEST\",\r\n \"key\": {\r\n \"algo\": \"rsa\",\r\n \"size\": 2048\r\n },\r\n \"SAN\": [\r\n \"SAN_TEST1\",\r\n \"SAN_TEST2\"\r\n ] , \r\n \"hosts\": [\r\n \"SAN_TEST1\",\r\n \"SAN_TEST2\"\r\n ] \r\n}\r\n```\r\n```\r\ncfssl gencert -initca ca-csr.json | cfssljson -bare ca\r\nopenssl x509 -in ca.crt -text -noout \r\n```\r\n\r\n`output`\r\n```\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number:\r\n 64:4f:94:20:de:60:19:3c:4b:50:11:5a:65:9c:0c:a0:9f:02:57:9c\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: CN = TEST\r\n Validity\r\n Not Before: Apr 16 15:49:00 2023 GMT\r\n Not After : Apr 14 15:49:00 2028 GMT\r\n Subject: CN = TEST\r\n Subject Public Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n Public-Key: (2048 bit)\r\n Modulus:\r\n 00:9f:fb:06:87:83:0a:75:a9:4a:1d:f9:2c:e8:29:\r\n d9:76:06:a9:c5:ce:b1:47:3b:c4:76:62:60:03:79:\r\n 5f:44:51:b6:dc:36:27:f2:c0:a5:c1:3e:30:6c:8c:\r\n 79:03:a4:e1:14:4d:0d:e3:4e:d8:08:b8:f1:73:47:\r\n f6:85:aa:19:3e:a6:74:d7:c8:48:b6:70:46:7a:82:\r\n 3c:67:5a:2f:9f:67:52:2e:d6:86:36:dd:4f:4a:f3:\r\n 12:55:77:ee:e1:85:66:8b:d0:f4:6e:71:e0:fe:5e:\r\n f8:85:ad:3d:f4:92:15:6d:56:f7:af:c1:4f:83:46:\r\n 6d:70:4e:f2:14:83:5a:b0:a3:bf:a4:2a:04:53:8b:\r\n c8:f0:b2:c0:7f:a1:00:3b:c7:da:6b:72:89:a6:b2:\r\n 7b:49:1f:ee:ea:41:1d:d3:93:fd:fb:b2:8e:7d:5c:\r\n 20:0e:7d:d5:bb:dc:98:05:be:c2:19:67:3e:64:d4:\r\n ed:0a:94:df:96:7a:f6:b2:1e:12:53:b7:22:40:ea:\r\n bf:a6:4c:bf:b4:e6:f7:ee:a5:7c:39:78:59:65:e0:\r\n 55:23:9a:be:18:19:bf:32:85:46:8e:e4:3c:27:44:\r\n e7:5c:38:b7:0f:19:de:f6:ec:94:4c:1f:42:b2:93:\r\n 2e:c7:79:23:f9:1b:27:73:72:a4:68:d4:17:a5:1e:\r\n b5:7d\r\n Exponent: 65537 (0x10001)\r\n X509v3 extensions:\r\n X509v3 Key Usage: critical\r\n Certificate Sign, CRL Sign\r\n X509v3 Basic Constraints: critical\r\n CA:TRUE\r\n X509v3 Subject Key Identifier: \r\n 28:60:02:83:B1:6C:A0:1C:BE:11:FD:68:51:D5:77:CC:37:75:87:71\r\n \r\n \r\n \r\n \r\n --------------------\r\n I'm expecting \r\n \r\n X509v3 Subject Alternative Name: \r\n DNS:SAN_TEST1\r\n DNS:SAN_TEST2\r\n \r\n but nothing is here\r\n ---------------------\r\n \r\n \r\n \r\n \r\n Signature Algorithm: sha256WithRSAEncryption\r\n Signature Value:\r\n 05:fd:d9:42:a8:7f:70:39:c4:b8:bc:b7:3b:8a:37:e5:17:4c:\r\n 5d:a2:39:62:3b:16:e0:4f:3b:95:43:06:5e:74:7b:85:90:da:\r\n d2:fc:cc:7a:a6:bb:e4:ab:6b:40:4a:43:51:f0:04:fb:24:38:\r\n a8:a7:46:eb:6a:f3:ef:f0:58:d5:0d:e4:8d:38:7a:2e:f8:41:\r\n a8:bc:99:9f:e0:c7:74:91:c0:ff:0d:11:07:0c:82:34:65:e7:\r\n 4b:92:12:fe:24:0e:cd:28:9c:49:7c:22:6f:e2:ea:33:8d:12:\r\n a5:76:65:97:54:7d:30:68:bc:c6:eb:f4:f9:68:4a:ec:bb:39:\r\n 33:93:3c:ae:1f:f9:35:cc:2b:ac:ca:68:8e:56:79:b8:9c:f3:\r\n 3b:b2:da:49:cd:79:8a:08:63:17:24:9c:fe:bc:f6:1d:8a:32:\r\n fc:fa:50:4f:fc:b8:97:eb:81:49:82:7f:f9:1a:cd:d9:2d:9d:\r\n 72:b5:22:9d:af:2c:81:86:55:bf:4b:1e:f9:be:3e:26:43:0e:\r\n 4a:00:af:f9:14:1b:21:f7:03:7f:d8:7c:e7:68:ec:06:e2:18:\r\n ec:e8:d7:74:17:3c:0f:ac:2e:5d:3a:e5:85:95:54:ee:37:8a:\r\n 33:8b:e9:84:9b:26:ac:f9:97:0a:68:b6:3e:a3:63:27:46:77:\r\n f7:02:c1:9a\r\n ```","issue_id":1715009064946,"origin_id":1510418376,"user_origin_id":36083584,"create_time":1681660283,"update_time":1681660667,"id":1728361314061,"updated_at":"2024-10-08T04:21:54.061000Z","created_at":"2024-10-08T04:21:54.061000Z"},{"_id":"6704b362eedbdc0cb30c25e9","body":"I got exactly the same issue, any updates please?","issue_id":1715009064946,"origin_id":1879007476,"user_origin_id":4101366,"create_time":1704475009,"update_time":1704475009,"id":1728361314066,"updated_at":"2024-10-08T04:21:54.066000Z","created_at":"2024-10-08T04:21:54.066000Z"},{"_id":"6704b362eedbdc0cb30c25ea","body":"> I got exactly the same issue, any updates please?\r\n\r\nI can't quite remember if using [certigo](https:\/\/github.com\/square\/certigo) allowed me to see this, you can try it out @Smana ","issue_id":1715009064946,"origin_id":1879765798,"user_origin_id":36083584,"create_time":1704563124,"update_time":1704563141,"id":1728361314071,"updated_at":"2024-10-08T04:21:54.070000Z","created_at":"2024-10-08T04:21:54.070000Z"},{"_id":"6704b362eedbdc0cb30c25eb","body":"Hi @shellwhale , thank you for your answer but I managed to do what I want with openssl [here](https:\/\/github.com\/Smana\/demo-cloud-native-ref\/tree\/main\/terraform\/vault#%F0%9F%94%91-public-key-infrastructure-pki-requirements)","issue_id":1715009064946,"origin_id":1879985147,"user_origin_id":4101366,"create_time":1704613980,"update_time":1704613980,"id":1728361314073,"updated_at":"2024-10-08T04:21:54.073000Z","created_at":"2024-10-08T04:21:54.073000Z"},{"_id":"6704b362eedbdc0cb30c25ec","body":"wonderful guide for setting up vault with tls, its been quite a nightmare trying to get those certificates thanks @Smana ","issue_id":1715009064946,"origin_id":2241593753,"user_origin_id":48614685,"create_time":1721564938,"update_time":1721564938,"id":1728361314078,"updated_at":"2024-10-08T04:21:54.077000Z","created_at":"2024-10-08T04:21:54.077000Z"}]
I use cfssl to sign a intermedia-ca. the intermediate-ca.json has **"hosts"** config: ```json { "CN": "Custom Widgets Intermediate CA", "hosts": [ "host1.custom-widgets.com", "localhost", "192.168.1.3" ], "key": { "algo": "rsa", "size":...
ocsprefresh 8100 Certificate not issued by this issuer
[{"_id":"6704b365ad3c4128c70dca10","body":"Hello, it seems that the OCSP certificate you are creating is not signed by the intermediate CA:\r\n`cfssl gencert -ca=server\/server.pem -ca-key=server\/server-key.pem -config=config.json -profile=\"ocsp\" ocsp.csr.json |cfssljson -bare ocsp\/ocsp`\r\n...should be something like:\r\n`cfssl gencert -ca=intermediateCA\/intermediateCA.pem -ca-key=intermediateCA\/intermediateCA-key.pem -config=config.json -profile=\"ocsp\" ocsp.csr.json |cfssljson -bare ocsp\/ocsp`\r\n\r\nHTH","issue_id":1715009064953,"origin_id":620397779,"user_origin_id":34622932,"create_time":1588053533,"update_time":1588053533,"id":1728361317399,"updated_at":"2024-10-08T04:21:57.398000Z","created_at":"2024-10-08T04:21:57.398000Z"},{"_id":"6704b365ad3c4128c70dca11","body":"> cfssl gencert -ca=intermediateCA\/intermediateCA.pem -ca-key=intermediateCA\/intermediateCA-key.pem -config=config.json -profile=\"ocsp\" ocsp.csr.json |cfssljson -bare ocsp\/ocsp\r\n\r\nI generated new certificate for ocsp, but still get `8100` Certificate not issued by this issuer\r\n\r\n root@cfssl-7dd777fd46-v5rq2:\/# cfssl ocsprefresh -db-config \/config\/db-connect.json -ca intermediateCA.pem -responder \/cert\/ocsp.pem -responder-key \/cert\/ocsp-key.pem\r\n 2020\/04\/28 19:08:41 [CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n\r\nand same for `rootCA.pem`\r\n\r\n root@cfssl-7dd777fd46-v5rq2:\/# cfssl ocsprefresh -db-config \/config\/db-connect.json -ca rootCA.pem -responder \/cert\/ocsp.pem -responder-key \/cert\/ocsp-key.pem\r\n 2020\/04\/28 19:12:00 [CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}","issue_id":1715009064953,"origin_id":620801638,"user_origin_id":3375776,"create_time":1588101195,"update_time":1588101195,"id":1728361317403,"updated_at":"2024-10-08T04:21:57.402000Z","created_at":"2024-10-08T04:21:57.402000Z"},{"_id":"6704b365ad3c4128c70dca12","body":"> > cfssl gencert -ca=intermediateCA\/intermediateCA.pem -ca-key=intermediateCA\/intermediateCA-key.pem -config=config.json -profile=\"ocsp\" ocsp.csr.json |cfssljson -bare ocsp\/ocsp\r\n> \r\n> I generated new certificate for ocsp, but still get `8100` Certificate not issued by this issuer\r\n> \r\n> ```\r\n> root@cfssl-7dd777fd46-v5rq2:\/# cfssl ocsprefresh -db-config \/config\/db-connect.json -ca intermediateCA.pem -responder \/cert\/ocsp.pem -responder-key \/cert\/ocsp-key.pem\r\n> 2020\/04\/28 19:08:41 [CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n> {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n> ```\r\n> \r\n> and same for `rootCA.pem`\r\n> \r\n> ```\r\n> root@cfssl-7dd777fd46-v5rq2:\/# cfssl ocsprefresh -db-config \/config\/db-connect.json -ca rootCA.pem -responder \/cert\/ocsp.pem -responder-key \/cert\/ocsp-key.pem\r\n> 2020\/04\/28 19:12:00 [CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n> {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n> ```\r\n\r\ni got the same error","issue_id":1715009064953,"origin_id":630661213,"user_origin_id":7858776,"create_time":1589876029,"update_time":1589876029,"id":1728361317406,"updated_at":"2024-10-08T04:21:57.405000Z","created_at":"2024-10-08T04:21:57.405000Z"},{"_id":"6704b365ad3c4128c70dca14","body":"I too am encountering this error and hope it's just an oversight on my part--\r\n` \r\ncfssl version\r\nVersion: dev\r\nRuntime: go1.14.6\r\n`\r\n\r\nI created my ocsp cert and keys with the following:\r\n`cfssl gencert -db-config \/demo\/cfssl\/db-pg.json -ca \/demo\/certs\/intermediate.pem -ca-key \/demo\/certs\/intermediate-key.pem -config \/demo\/cfssl\/config_ca.json -profile=\"ocsp\" ocsp.csr.json|cfssljson -bare server-ocsp -`\r\n\r\n> 2020\/08\/05 00:35:17 [INFO] generate received request\r\n2020\/08\/05 00:35:17 [INFO] received CSR\r\n2020\/08\/05 00:35:17 [INFO] generating key: rsa-2048\r\n2020\/08\/05 00:35:17 [INFO] encoded CSR\r\n2020\/08\/05 00:35:17 [INFO] signed certificate with serial number 62732961794845646156039024224657849033563651957\r\n2020\/08\/05 00:35:17 [WARNING] This certificate lacks a \"hosts\" field. This makes it unsuitable for\r\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\r\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\r\nspecifically, section 10.2.3 (\"Information Requirements\").\r\n\r\nThen I attempt ocsprefresh with:\r\n`cfssl ocsprefresh -db-config \/demo\/cfssl\/db-pg.json -ca \/demo\/certs\/intermediate.pem -responder \/demo\/ocsp\/server-ocsp.pem -responder-key \/demo\/ocsp\/server-ocsp-key.pem`\r\n\r\n> 2020\/08\/05 00:35:46 [CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n{\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n\r\nIf i look at the ocsp cert with certinfo, I see the issuer is indeed the intermediate that I expect. \r\nSome other things about my setup, in case it helps:\r\n\r\n- using Postgres 11.6\r\n- CFSSL 1.4\r\n- Go 1.14.6\r\n\r\ncfssl-ocsp systemd:\r\n`[Unit]\r\nDescription=CloudflareSSL OCSP Responder\r\nAfter=network.target\r\nStartLimitIntervalSec=0\r\n\r\n[Service]\r\nType=simple\r\nRestart=always\r\nRestartSec=5\r\nUser=demouser\r\nExecStart=\/demo\/go\/bin\/cfssl ocspserve -address=0.0.0.0 -port=8889 -db-config=\/demo\/cfssl\/db-pg.json -loglevel=0 -ca-key=\/demo\/certs\/intermediate-key.pem -ca=\/demo\/certs\/intermediate.pem -config=\/demo\/certs\/config_ca.json -responder=\/demo\/ocsp\/server-ocsp.pem -responder-key=\/demo\/ocsp\/server-ocsp-key.pem\r\n\r\n[Install]\r\nWantedBy=multi-user.target`\r\n\r\nWhat did I miss here?","issue_id":1715009064953,"origin_id":668905576,"user_origin_id":20214858,"create_time":1596588579,"update_time":1596588579,"id":1728361317410,"updated_at":"2024-10-08T04:21:57.410000Z","created_at":"2024-10-08T04:21:57.410000Z"},{"_id":"6704b365ad3c4128c70dca15","body":"Hi All, @Roydon @crungruang @bubbleatgit @jmhodges \r\n\r\nWere you able to get past this? \r\nI am also stuck at the same thing. \r\n\r\n```\r\n2021\/11\/03 22:11:09 [CRITICAL] Unable to sign OCSP response: {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n{\"code\":8100,\"message\":\"Certificate not issued by this issuer\"}\r\n```\r\n\r\nNot duplicating the steps but they are same as mentioned on this git issue. \r\n\r\nThank you, \r\nArpan\r\n","issue_id":1715009064953,"origin_id":960230226,"user_origin_id":7279241,"create_time":1635977821,"update_time":1635977821,"id":1728361317413,"updated_at":"2024-10-08T04:21:57.413000Z","created_at":"2024-10-08T04:21:57.413000Z"},{"_id":"6704b365ad3c4128c70dca16","body":"Hi,\r\nIt appears cfssl serving ocsp information from the database supports only a single responder certificate as signed by the ocsprefresh command. This implies all certificates in the database must be issued by the same CA that issued the specified responder certificate.\r\n\r\nStoring any other certificate, such as the intermediate certificate, in the database and performing a cfssl ocsprefresh will result in the {\"code\":8100,\"message\":\"Certificate not issued by this issuer\"} error as the intermediate certificate is issued by the root or higher level CA which did not issue the OCSP signing certificate specified in the ocsprefresh command.\r\n\r\nUse separate databases for each CA\/sub-CA for storing issued certificates. Run separate ocspserve instances for each database. Update the configuration to reflect the unique OCSP URL endpoint for each CA\/sub-CA issued certificates.\r\n","issue_id":1715009064953,"origin_id":1868571766,"user_origin_id":7452566,"create_time":1703442142,"update_time":1703442142,"id":1728361317416,"updated_at":"2024-10-08T04:21:57.416000Z","created_at":"2024-10-08T04:21:57.416000Z"}]
I setup cfssl following [part1](https://propellered.com/posts/cfssl_setting_up/), [part2](https://propellered.com/posts/cfssl_setting_up_ocsp_api/) & [part3](https://propellered.com/posts/cfssl_revoking_certs_ocsp_reponder/) Here is every command I use : root@2e4741a2f4dc:/certs# cfssl genkey -initca rootCA.csr.json |cfssljson -bare rootCA/rootCA 2020/04/25 12:41:20 [INFO] generate received request 2020/04/25...
