OCSP stapling with certificate server behind CloudFlare

OCSP stapling provides the ability for server administrators to declare their certificates as valid without sending request to a certificate hoster of the issuer. Unfortunately there are some traps in creating an OCSP responder, espacially it is protected by CloudFlare.

In general it is an easy command within OpenSSL to create an OCSP responder, which can be used by the web server to determine the validation of a SSL certificate:
openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer issuer.crt -cert domain.crt -url http://ocsp2.globalsign.com/gsalphasha2g2

The issuer.crt is the certificate of the issuer, in my case AlphaSSL, and the domain.crtis the certificate for my domain.
By using the command there should be created a file called ocsp.resp, which contains the information about the validation of the SSL certificate and which can by used by the web server.

The URL, called “OCSP URI” can be identified by using the following command:
openssl x509 -in domain.crt -text | grep "OCSP - URI:" | cut -d: -f2,3

However, the command may fail and thus does not display any information about the OCSP URI. In this case just search in the internet (search term: OCSP URI <CERTIFICATE-ISSUER>).

Whenever I tried the first command of this article I received the following error message:

Error querying OCSP responsder
140400807491240:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden

A HTTP status code 403 is not good and even if I test the URL in the browser I just get the following message: “An error occurred during the request handling!!” Not better at all.

After multiple searches and a long time I found a solution, finally:
The certificate server of AlphaSSL is protected by CloudFlare and thus the real IP address of the server is not known. The problem is that OpenSSL tries to resolve the domain name to its IP address. So it receives the IP address from a CloudFlare server and tries to accesses the directory /gsalphasha2g2. Of course this directory does not exist and thus you receive a 403 – Forbidden status code by the CloudFlare server.
To change this behavior you have to send the parameter -header within the OpenSSL command. The header we want to send is the header “HOST”.

The final command looks like this:
openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer issuer.crt -cert domain.crt -url http://ocsp2.globalsign.com/gsalphasha2g2 -header "HOST" "ocsp2.globalsign.com"

The correct answer of the command would be something like this:

domain.crt: good
This Update: Feb 25 09:32:45 2015 GMT
Next Update: Feb 25 21:32:45 2015 GMT

The ocsp.resp was generated and I was able to use it in my web server.

Leave a Reply

Your email address will not be published. Required fields are marked *