CFSSL: служба OCSP не работает - PullRequest
Новая
       8

CFSSL: служба OCSP не работает

0 голосов
/ 21 апреля 2020

У меня есть сборка CFSSL-образа со следующим Dockerfile 

FROM golang:1.13.3@sha256:6a693fbaba7dd8d816f6afce049fb92b280c588e0a677c4c8db26645e613fc15

COPY ./cfssl /cfssl

WORKDIR /cfssl

RUN git clone https://github.com/cloudflare/cfssl_trust.git /etc/cfssl && \
    make clean && \
    make bin/rice && ./bin/rice embed-go -i=./cli/serve && \
    make all && cp bin/* /usr/bin/

EXPOSE 8888 8889

ENTRYPOINT ["cfssl"]
CMD ["serve", "-db-config=/config/db-connect.json", "-ca=/cert/server.pem", "-ca-key=/cert/server-key.pem", "-config=/config/config.json", "-responder=/cert/ocsp.pem", "-responder-key=/cert/ocsp-key.pem", "-address=0.0.0.0"]

API для генерации и отзыва сертификатов работают, как и ожидалось. Но OCSP API для сертификации не работает. У меня есть следующие конфигурации CFSSL 

config.json: |
  {
    "signing": {
      "default": {
        "ocsp_url": "http://localhost:8889",
        "crl_url": "http://localhost:8888/api/v1/cfssl/crl",
        "expiry": "26280h"
      },
      "profiles": {
        "intermediate": {
          "auth_key": "key1",
          "expiry": "43800h",
          "usages": [
            "signing",
            "key encipherment",
            "cert sign",
            "crl sign"
          ],
          "ca_constraint": {
            "is_ca": true,
            "max_path_len": 1
          }
        },
        "ocsp": {
          "auth_key": "key1",
          "usages": [
            "digital signature",
            "ocsp signing"
          ],
          "expiry": "26280h"
        },
        "serverCA": {
          "auth_key": "key1",
          "expiry": "43800h",
          "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "cert sign",
            "crl sign"
          ]
        },
        "server": {
          "auth_key": "key1",
          "expiry": "43800h",
          "usages": [
            "signing",
            "key encipherment",
            "server auth"
          ]
        },
        "client": {
          "expiry": "43800h",
          "usages": [
            "signing",
            "key encipherment",
            "client auth",
            "email protection"
          ]
        }
      }
    },
    "auth_keys": {
      "key1": {
        "key": "adb579634e191bcda1298c93fe3c509f",
        "type": "standard"
      }
    }
  }

журналы от CFSSL 

2020/04/20 21:19:17 [INFO] Initializing signer
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/info' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/sign' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/crl' is enabled
2020/04/20 21:19:17 [INFO] setting up key / CSR generator
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
2020/04/20 21:19:17 [INFO] bundler API ready
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/ocspsign' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/revoke' is enabled
2020/04/20 21:19:17 [INFO] endpoint '/api/v1/cfssl/health' is enabled
2020/04/20 21:19:17 [INFO] Handler set up complete.
2020/04/20 21:19:17 [INFO] Now listening on 0.0.0.0:8888

Что мне здесь не хватает?

Добро пожаловать на сайт PullRequest, где вы можете задавать вопросы и получать ответы от других членов сообщества.

Похожие темы

...