Ssl

如何檢查letsencrypt證書是否已被吊銷

  • May 25, 2020

我正在嘗試根據此答案檢查letsencrypt頒發的證書是否已被吊銷:

openssl ocsp -issuer highschoolhelper.org_fullchain.crt  -cert highschoolhelper.org_fullchain.crt  \
     -text -url http://ocsp.int-x3.letsencrypt.org  -header "HOST" "ocsp.int-x3.letsencrypt.org"

highschoolhelper.org_fullchain.crt 內容:

-----BEGIN CERTIFICATE-----
MIIGezCCBWOgAwIBAgISBIblodC5xtlygKwk1HxrVSNwMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MjQwMjAzMjNaFw0y
MDA4MjIwMjAzMjNaMB8xHTAbBgNVBAMTFGhpZ2hzY2hvb2xoZWxwZXIub3JnMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoJoYehVRN/qnOOM5phcdlknH
Je8k+TbZjW+drtX7i3zik/se2rR3Gj16da5A4vx6irK+SasdU2ckwcC4GGCa0ILM
gCcwE/rI1km65A5KudSA9tz494olkIxAuwhHXdOHZjBQ9fx211Jol0drqvc2cnS5
Camnx6ibYeGvZqadMC9iIqiZ2WIYr1cJCBeOJrk4f9hZnNSA/nghgyq4ajzKc+R4
nNBy2pl50VYdzV465MIdRKtuJvnoPPtwf0Z605gXwibI8rsA4kUcJj3QS7vcxsfw
W8xgu9lwHm0K5DZiSiBfzxyOMui7BFDSek25kf98e+ZNb/Eqz+JXSEk9udMDbPx8
nVtskoW6HaxL2D/qjHuI7DQnTP7SR/+OA6av6ZKSH+7KLtU7aN2i9itsNJA5AlZC
KGKmuTO+xCuI2Fi4QueacfnGqmC2+/rXtEu1vtuu0zL1W8J2JhR9ocOOC/e5Fjld
hufYVpEyJwSxbjCGSOhVX0DqIgLSucHlJceKNVZBlx8Oh0KNjcjpfvHhKZlJ/SyL
AUYT5tbJ/YMqr4Lr3RHqRZL22H93aFAoyHw2doPS88fwjUn+hYgk9TaEtLLfa8yT
j/C5c7cZf42sq0gyb9xQkpah50Ft9HNEJcs1HrTjVJxDFEFTG99odK//GiFsKlj9
x+3GOufni0GydETRC1UCAwEAAaOCAoQwggKAMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUYxGSiRqEnPR1Ad6Fj4P/YrlDGZowHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2Nz
cC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2Vy
dC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzA5BgNVHREEMjAwghRoaWdoc2Nob29s
aGVscGVyLm9yZ4IYd3d3LmhpZ2hzY2hvb2xoZWxwZXIub3JnMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAXqdz
+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFyRKKP1gAABAMARzBFAiBj
Vo3hgkLNSJBNdhiymhBkYym5sOaRqWswrQCZeRaX/AIhAJ/CqfyvYvtIudJ3fjaN
+eQFm24CE+MmUql+4Q6vNV7dAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6
GmnTohwAAAFyRKKP/QAABAMASDBGAiEAlVvbTUpmGlXE6ARMENw3oIAlzoacBlG6
ZgNRinb3SuUCIQCcaqd5cDIKlFY00rQ3A/CiLkRJsyLu7SGRtWd2SbtTyDANBgkq
hkiG9w0BAQsFAAOCAQEAbFJFXt7rhu6cftRhLF+8sC8+Iv8qL0qVAjFfyckz1QpT
mqKMPpi56sLc25HI4BxOlCh7HBbD4qu/G/PFWaihSkzOWqub9PkcgbxaK4TKWJr8
LYWYv+PxmtbTeA9bNeMxPMuL4KraOog6XyI4gxjP0Pa+vONjrDsCBnO5ZuskbkK4
2MqNbVQT4W0Arx51ZP4uaNZYZHPtr0aByn6KF5KPP/TTA+V5T8yKFCzBpHm33g7n
bk3RDQeqpiFdCwXc7mkZRpj+o+SM4WfBXp399mGoGkBjh73n9k4L2PCwY6nt5sgB
NXW14dJwThtD5llBdTlxbg/LlBp9y1gT5Je3F2IB6A==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

但我得到的是這個輸出:

OCSP Request Data:
   Version: 1 (0x0)
   Requestor List:
       Certificate ID:
         Hash Algorithm: sha1
         Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
         Issuer Key Hash: 631192891A849CF47501DE858F83FF62B943199A
         Serial Number: 0486E5A1D0B9C6D97280AC24D47C6B552370
   Request Extensions:
       OCSP Nonce:
           0410193D65F8B1D045055EE5862101F61D02
Responder Error: unauthorized (6)

您的輸入文件包含兩個證書:首先是葉證書,其次是鏈證書。-issuer鏈證書是葉子證書的頒發者,因此如果要檢查葉子證書(-cert參數),則需要將其用於參數。

只是,您為頒發者和證書提供相同的文件。在這兩種情況下,它都會從文件中取出第一個證書,這意味著它將為頒發者和證書使用相同的證書——這是錯誤的。要解決此問題,請將您的文件分成兩部分:將第一個證書放入cert.pem,第二個放入issuer.pem,然後重試:

$ openssl ocsp -issuer issuer.pem -cert cert.pem \
   -text -url http://ocsp.int-x3.letsencrypt.org  -header "HOST" "ocsp.int-x3.letsencrypt.org"

...
OCSP Response Data:
   ...
   Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   ...
   Cert Status: good
   This Update: May 24 03:00:00 2020 GMT
   Next Update: May 31 03:00:00 2020 GMT

引用自:https://serverfault.com/questions/1018524