HAproxy 没有返回 OCSP 响应：响应未发送

Question

我只是无法获得 OCSP 回复。以下是我执行的步骤：

Haproxy 证书目录：

1. 添加了包含带有 .issuer 扩展名的根证书和中间 CA 证书的 CA 文件。
2. 添加了我的 .pem 证书文件，包括私钥、crt 等

使用 openssl 生成 DER 格式的 OCSP 响应：

openssl ocsp -issuer my_cert.issuer -VAfile my_cert.issuer -cert my_cert.pem -url http://status.thawte.com -header Host status.thawte.com -no_nonce -respout my_cert.ocsp
    Response verify OK
    my_cert.pem: good
        This Update: Mar 14 17:45:00 2022 GMT
        Next Update: Mar 21 17:00:00 2022 GMT

3 个文件现在位于我的 HAproxy 证书目录中：

• my_cert.issuer
• my_cert.ocsp
• my_cert.pem

是我的 HAproxy 配置的样子：

global
  maxconn 4096
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RSA+AES128:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA
  log 127.0.0.1 local0 debug

defaults
  log     global
  mode    http
  option  httplog
  option  dontlognull
  option forwardfor
  option http-server-close
  stats enable
  stats uri /stats
  timeout connect 3000ms
  timeout client 25000ms
  timeout server 25000ms

frontend ssl_check
    bind :::80
    bind :::443 ssl crt /usr/local/etc/haproxy/certs/my_cert.pem
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http  if !https
    http-request set-header X-Forwarded-Proto https if https
    mode http
    use_backend %[base,lower,map_beg(/usr/local/etc/haproxy/ssl.map)] if { base,lower,map_beg(/usr/local/etc/haproxy/ssl.map) -m found }
    default_backend ssl_check

backend ssl_check
  mode http
  errorfile 503 /usr/local/etc/haproxy/errors/certificate_response.http

这 我的假后端看起来就像使用一个被操纵的 503 错误文件，返回响应 200：

HTTP/1.0 200 Found
Cache-Control: no-cache
Connection: close
Content-Type: text/plain

200 Found

之后重新加载了 HAproxy，但我仍然得到相同的输出：

$ echo quit | openssl s_client -connect 127.0.0.1:443 -tlsextdebug -status
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
OCSP response: no response sent
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018
verify return:1
[...]
---
Certificate chain
 0 s:/[...]
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/[...]
issuer=/
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4377 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: FDAA738CD5049E2D14F5F7AD1C2CBCA36B938B94755F697E4CE0DCD40342791E
    Session-ID-ctx: 
    Master-Key: [...]
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
[...]

    Start Time: 1647360170
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018

这就是关于 OpenSSL 等的 HAproxy 包的设置方式：

# haproxy -vv
HA-Proxy version 1.8.19 2019/02/11
Copyright 2000-2019 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-null-dereference -Wno-unused-label
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.0j  20 Nov 2018
Running on OpenSSL version : OpenSSL 1.1.0j  20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
    [SPOE] spoe
    [COMP] compression
    [TRACE] trace

在 docker-compose 设置和实时机器上进行了测试，但在这两种情况下我都得到了证书链等，但 OCSP 响应字段仍然为空：

OCSP response: no response sent

我是什么做错事了？！

Answer 1

能够解决它。必须遵循证书文件名的命名约定，错误。

错误：

• my_cert.issuer
• my_cert.ocsp
• my_cert.pem

正确：

• my_cert.pem.issuer
• my_cert.pem.ocsp
• my_cert.pem

然后我能够从我的 HAproxy 测试实例中获取 OCSP 响应。