wackysysadmin/ocsp-responder

By wackysysadmin

Updated about 2 months ago

Containerised OpenSSL OCSP responder. https://github.com/wackysysadmin/ocsp-responder-container

Image
Security
Developer tools
Web servers
0

4.0K

wackysysadmin/ocsp-responder repository overview

Containerised OCSP Responder

This is a containerised version of the OCSP web responder built into OpenSSL.

Had built this to add onto my certificates primarily to remove the warning on Microsoft's Terminal Services Client about being unable to validate the certificate against a responder when RDP'ing onto a server.

Image tag latest rebuilt every week with latest Alpine image and updated packages.

Repository: https://github.com/wackysysadmin/ocsp-responder-container

Prerequisites

This container relies on already having the following:

Running the container

Environment Variables

The following variables are file locations relative to the container.

  • OCSP_INT_PORT: "2560" # OCSP mounting port internal to the container.
  • INDEX_FILE: "/data/index.txt" # The database file of the CA.
  • CA_FILE: "/data/ca-chain.cert.pem" # The CA or CA and intermediate public chain certificate.
  • OCSP_CERT_FILE: "/data/ocsp.pem" # OCSP public certificate signed by the CA or intermediate.
  • OCSP_KEY_FILE: "/data/ocsp.key" # OCSP private key.
  • OCSP_LOG_FILE: "/data/ocsp.log" # OCSP process's output log file, HTTP access logs and responses. The container will generate this logfile.

Using Docker Compose

Create a docker-compose.yml file with the contents of https://github.com/wackysysadmin/ocsp-responder-container/blob/main/docker-compose.yml.

Modify the volume path to the path of your files.

Bring up the OCSP responder server:

docker compose up -d
docker logs ocsp-responder
ACCEPT 0.0.0.0:2560 PID=1
ocsp: waiting for OCSP client connections...

Certificates can now be signed by defining your OCSP's FQDN. Example configuration: authorityInfoAccess = OCSP;URI:http://ocsp.hostname.foo:2560

Reverse Proxy/HTTPS Support

The OCSP responder server can be put behind a reverse proxy such as Caddy/NGINX/Traefik.

This can be done by using a method of your choice, if you append a reverse proxy onto the Docker Compose file or if the reverse proxy server is on the same container bridge network you can specify http://ocsp-responder:2560 as the proxy upstream address.

Serving an OCSP responder over HTTPS (https://datatracker.ietf.org/doc/html/rfc5280#section-8) isn't a requirement but is certainly possible, as mentioned in the wider community OCSP requirements on CA/Intermediate certificates can cause issues, using them on issued server/client certificates from them should be fine.

Building the container from scratch

The container can be built manually, it is only an Alpine image with OpenSSL and CMD values set.

Enter a directory and create a Dockerfile with the contents from https://github.com/wackysysadmin/ocsp-responder-container/blob/main/Dockerfile.

Create the container using build command:

docker build -t ocsp-responder:latest .

Known issues

  • All files can be direct mounted into the container, however the index/database file must be in a mounted folder. This is due to Docker mounting the file as it is at the time. If there are changes to the index it will not be reflected unless the container gets restarted. For my use case I created an ocsp folder then changed my openssl.cnf to save changes to an index.txt in the ocsp folder.

Tag summary

Content type

Image

Digest

sha256:aa18149c2

Size

6.7 MB

Last updated

about 2 months ago

docker pull wackysysadmin/ocsp-responder