Comments (7)
Thank you for your reply and detailed guidance.I will follow your method to find the problem.
If there are any problems or results, I will reply to you. Thank you again for your detailed answer!
from django-ca.
Hi @PIKACHUIM ,
Thanks for your report! I'll look into it right away.
But just to be sure: do you really have a need for this feature - if you configure CA_DEFAULT_HOSTNAME, there is no need to actually configure these - django-ca will provide fine default values.
In any case, can you also give me
- The Python version you're using.
- The django-ca version you're using.
- How you have set up your CA (from source? as Django app? ...)
kr, Mat
from django-ca.
Thank you for your patient reply!
For these reasons, I would like to use a custom OCSP service:
- I would like to customize the URL path for OCSP services
- I found that the URL path of OCSP set by default CA looks like this
ca/ issuer/<hex:serial>.der [name='issuer']
ca/ ocsp/<hex:serial>/cert/ [name='ocsp-cert-post']
ca/ ocsp/<hex:serial>/cert/<base64:data> [name='ocsp-cert-get']
ca/ ocsp/<hex:serial>/ca/ [name='ocsp-ca-post']
ca/ ocsp/<hex:serial>/ca/<base64:data> [name='ocsp-ca-get']
ca/ crl/<hex:serial>/ [name='crl']
ca/ crl/ca/<hex:serial>/ [name='ca-crl']
I will use NGINX to reverse proxy each CA address, I don't know how to set it up.
I need each different CA to have a dedicated OCSP URL.
Information provided:
Python version: 3.12
Package version: Django==5.0.1
, Django ca=1.27.0
, Django object actions==4.2.0
CA Setup: Django app
By the way, what is the mechanism for OCSP to return certificate status judgment
Our certification authority has the following structure:
I imported all the certificates and manually set up three OCSP servers, but only the first OCSP returned Good, while the rest returned Unknown.
Thank you for your help. If you need any further information, I will provide it.
from django-ca.
Hi @PIKACHUIM,
I tried to reproduce the issue, but failed. From what I can tell, it works as it should. First, let me answer that question of yours:
By the way, what is the mechanism for OCSP to return certificate status judgment
The certificate has a revoked
flag, if it is set, the certificate is considered revoked. You can set it using manage.py revoke
or via the admin interface.
But to find the certificate (you get an unknown cert
response) a few things need to fall into place. Hopefully by going through them one-by-one, you can find the issue:
- The key specifies the URL path to use for OCSP requests. In your case
/django_ca/ocsp/RSA8192/
,/django_ca/ocsp/RSA4096/
and so on. It's a free-form key, so it really can be (almost) anything. - If the
ca
key is not set, the key is also used to identify the CA. You setca
, so the key is not used to identify the CA and has no principal relation to the CA (so you could use"RSA4019": {"ca": "ECCP521"}
, if you wanted). - During the request, the
ca
key is used to identify the CA that has signed the certificate. - The serial encoded in the OCSP request identifies the certificate of interest.
- Look up the CA based on the
ca
key (it looks up some CA at least, in your case). - Look up the certificate based on the CA and the serial number (this way certs for different CAs could have the same serial).
So in your case I would check:
- Does the
ca
key in your configuration identify the correct CA? - Do the imported certificates link to the correct CA?
- Are you really using the correct URL path for making requests?
- Since you mention an NGINX proxy, does the proxy work correctly, and does django-ca get the right request?
You can check point 2 easily with the manage.py list_certs --ca=<serial>
command or in the admin interface.
kr, Mat
from django-ca.
When trying reproduce the issue, I initialized the project using dev.py init-demo
(which also creates OCSP certs), then ran manage.py runserver
, with the following configuration:
CA_OCSP_URLS = {
"root": {
"ca": "...",
"responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
"responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
"expires": 3600,
},
"ed448": {
"ca": "...",
"expires": 3600,
"responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
"responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
},
"ed25519": {
"ca": "...",
"expires": 3600,
"responder_key": "/home/.../django-ca/ca/files/ocsp/....key",
"responder_cert": "/home/.../django-ca/ca/files/ocsp/....pem",
},
}
I then ran the following OCSP requests using the openssl
shell:
$ openssl ocsp -CAfile ca/files/root.pub -issuer ca/files/root.pub -cert ca/files/root-cert.pub -url http://localhost:8000/django_ca/ocsp/root/ -resp_text
...
Response verify OK
ca/files/root-cert.pub: good
This Update: Jan 27 09:15:10 2024 GMT
Next Update: Jan 27 10:15:10 2024 GMT
$ openssl ocsp -CAfile ca/files/ed448.pub -issuer ca/files/ed448.pub -cert ca/files/ed448-cert.pub -url http://localhost:8000/django_ca/ocsp/ed448/ -resp_text
...
Response verify OK
ca/files/ed448-cert.pub: good
This Update: Jan 27 09:15:52 2024 GMT
Next Update: Jan 27 10:15:52 2024 GMT
$ openssl ocsp -CAfile ca/files/ed25519.pub -issuer ca/files/ed25519.pub -cert ca/files/ed25519-cert.pub -url http://localhost:8000/django_ca/ocsp/ed25519/ -resp_text
...
Response verify OK
ca/files/ed25519-cert.pub: good
This Update: Jan 27 09:16:12 2024 GMT
Next Update: Jan 27 10:16:12 2024 GMT
If there is anything I might have missed here, or you want to share additional configuration, of course please let me know!
from django-ca.
PS: Please note that you're using absolute paths, this is deprecated, see documentation. I will actually remove deprecate support for this in 1.28.0.
from django-ca.
Related Issues (20)
- REST api HOT 8
- ACME error HOT 5
- Configure OCSP response validity when using docker compose HOT 4
- Acme Disable new accounts HOT 4
- Parsing issues running init_ca HOT 2
- celery: Object of type timedelta is not JSON serializable HOT 3
- Migration Issue HOT 7
- http/500 when requesting certificate HOT 6
- failed to parse fullchain into cert and chain: less than 2 certificates in chain HOT 4
- ecc_curve in 'init_ca' command HOT 5
- acme clients not working, bad nonce HOT 7
- multiple SAN attributes not working HOT 3
- CA_PROFILES expiration time is ignored HOT 2
- CRL Issuing Distribution Point (IDP) should be configurable in CertificateRevocationListView HOT 7
- TypeError: cannot pickle 'builtins.ObjectIdentifier' object HOT 3
- Config is not read HOT 2
- Generate CT Certificate Transparency logs HOT 2
- CA_DEFAULT_SUBJECT HOT 2
- Profiles - default, custom and command line HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-ca.