OCSP stapling with certificate servers behind CloudFlare

Warning: This page is a part of an archive now and will be removed in the future.

OCSP stapling provides the ability for server administrators to declare their certificates as valid without sending request to a certificate hoster of the issuer. Unfortunately there are some traps in creating an OCSP responder, espacially it is protected by CloudFlare.

In general it is an easy command within OpenSSL to create an OCSP responder, which can be used by the web server to determine the validation of a SSL certificate:
openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer issuer.crt -cert domain.crt -url [url]http://ocsp2.globalsign.com/gsalphasha2g2[/url]

The issuer.crt is the certificate of the issuer, in my case AlphaSSL, and the domain.crt is the certificate for my domain.
By using the command there should be created a file called ocsp.resp, which contains the information about the validation of the SSL certificate and which can by used by the web server.

The URL, called “OCSP URI” can be identified by using the following command:
openssl x509 -in domain.crt -text | grep "OCSP - URI:" | cut -d: -f2,3

However, the command may fail and thus does not display any information about the OCSP URI. In this case just search in the internet (search term: OCSP URI <CERTIFICATE-ISSUER>).

Whenever I tried the first command of this article I received the following error message:
Error querying OCSP responsder
140400807491240:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden
A HTTP status code 403 is not good and even if I test the URL in the browser I just get the following message: “An error occured during the request handling!!” Not better at all.

After multiple searches and a long time I found a solution, finally:
The certificate server of AlphaSSL is protected by CloudFlare and thus the real IP address of the server is not known. The problem is that OpenSSL tries to resolve the domain name to its IP address. So it receives the IP address from a CloudFlare server and tries to accesses the directory /gsalphasha2g2. Of course this directory does not exist and thus you receive a 403 - Forbidden status code by the CloudFlare server.
To change this behavior you have to send the parameter -header within the OpenSSL command. The header we want to send is the header “HOST”.

The final command looks like this:
openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer issuer.crt -cert domain.crt -url [url]http://ocsp2.globalsign.com/gsalphasha2g2[/url] -header "HOST" "ocsp2.globalsign.com"

The correct answer of the command would be something like this:
domain.crt: good
This Update: Feb 25 09:32:45 2015 GMT
Next Update: Feb 25 21:32:45 2015 GMT
The ocsp.resp was generated and I was able to use it in my web server.
About the Author
Ich bin Webentwickler in Stuttgart und administriere Server seit vielen Jahren. In diesem Blog erstelle ich hauptsächlich Tutorials für andere Webentwickler, Webdesigner und Serveradministratoren.
I’m a web developer in Stuttgart, Germany, and server administrator since many years. This blog mainly contains a tutorial set for other web developer, web designer and server administrators.

1,148 times read

Comments 5

  • EfraimPC -

    This actually worked :) thanks

    OpenSSL> ocsp -issuer ac2_4096.crt -url cfdit.sat.gob.mx/edofiel -text -cert GAMA600504JP1.cer.pem -VAfile delegadoOCSP_AC_4096.crt -header 'HOST' 'cfdit.sat.gob.mx'

  • Black Rider -

    I think you should use the delegadoOCSP_AC_4096.crt file as issuer. You don't need do convert anything as far as I know.

  • EfraimPC -

    Thank you Black Rider, My OpenSSL version just needed an update.

    I'm using the following command:

    OpenSSL> ocsp -issuer GAMA600504JP1.pem -cert delegadoOCSP_AC_4096.pem -resp_text -respout respuesta.txt -url cfdit.sat.gob.mx/edofie
    l -CAfile ac2_4096.pem -text -header "HOST" "c

    OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
    Certificate ID:
    Hash Algorithm: sha1
    Issuer Name Hash: D2F2C823204E31BDBBD3ACFE5EB133CA912FE16C
    Issuer Key Hash: 43A5A9981F086C01017EED5D89EA33D8B115430E
    Serial Number: 3535353535353939393939383030303030303434
    Request Extensions:
    OCSP Nonce:

    I'm getting the next response from ocsp:

    Responder Error: trylater (3)

    Here in Mexico there's a Certifying Authority called "SAT" who has a Root Certification Authority called "Banco de Mexico" and there's the end-user who has an electronic signature (.cer and .key files) provided by "SAT"

    What I need to do it's to check if the end-user's electronic signature (.cer file) status its ok or revoked using ocsp.

    I have the following files:

    (Root Certification Authority "Banco de Mexico" files)

    (Certifying Authority "SAT" files)

    (End-User electronic signature files .cer .key)

    I converted all the .cer files in PEM format but im not sure if this is correct.

    Also Im not sure who is the -issuer , who's file must be the -cert file or the -CAfile. Can you help me?

  • Black Rider -

    Is it possible that you didn’t configure openssl properly during installation and missed the headers feature?

  • EfraimPC -

    how can you use the -header option ? my openssl doesnt recognize it.

This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.