主页 / server / 问题 / 1018524
Accepted
H Aßdøµ
Asked: 2020-05-25 12:47:52 +0800 CST

如何检查letsencrypt证书是否已被吊销

  • 772

我正在尝试根据此答案检查letsencrypt颁发的证书是否已被吊销:

 openssl ocsp -issuer highschoolhelper.org_fullchain.crt  -cert highschoolhelper.org_fullchain.crt  \
      -text -url http://ocsp.int-x3.letsencrypt.org  -header "HOST" "ocsp.int-x3.letsencrypt.org"

highschoolhelper.org_fullchain.crt 内容:

-----BEGIN CERTIFICATE-----
MIIGezCCBWOgAwIBAgISBIblodC5xtlygKwk1HxrVSNwMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MjQwMjAzMjNaFw0y
MDA4MjIwMjAzMjNaMB8xHTAbBgNVBAMTFGhpZ2hzY2hvb2xoZWxwZXIub3JnMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoJoYehVRN/qnOOM5phcdlknH
Je8k+TbZjW+drtX7i3zik/se2rR3Gj16da5A4vx6irK+SasdU2ckwcC4GGCa0ILM
gCcwE/rI1km65A5KudSA9tz494olkIxAuwhHXdOHZjBQ9fx211Jol0drqvc2cnS5
Camnx6ibYeGvZqadMC9iIqiZ2WIYr1cJCBeOJrk4f9hZnNSA/nghgyq4ajzKc+R4
nNBy2pl50VYdzV465MIdRKtuJvnoPPtwf0Z605gXwibI8rsA4kUcJj3QS7vcxsfw
W8xgu9lwHm0K5DZiSiBfzxyOMui7BFDSek25kf98e+ZNb/Eqz+JXSEk9udMDbPx8
nVtskoW6HaxL2D/qjHuI7DQnTP7SR/+OA6av6ZKSH+7KLtU7aN2i9itsNJA5AlZC
KGKmuTO+xCuI2Fi4QueacfnGqmC2+/rXtEu1vtuu0zL1W8J2JhR9ocOOC/e5Fjld
hufYVpEyJwSxbjCGSOhVX0DqIgLSucHlJceKNVZBlx8Oh0KNjcjpfvHhKZlJ/SyL
AUYT5tbJ/YMqr4Lr3RHqRZL22H93aFAoyHw2doPS88fwjUn+hYgk9TaEtLLfa8yT
j/C5c7cZf42sq0gyb9xQkpah50Ft9HNEJcs1HrTjVJxDFEFTG99odK//GiFsKlj9
x+3GOufni0GydETRC1UCAwEAAaOCAoQwggKAMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUYxGSiRqEnPR1Ad6Fj4P/YrlDGZowHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2Nz
cC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2Vy
dC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzA5BgNVHREEMjAwghRoaWdoc2Nob29s
aGVscGVyLm9yZ4IYd3d3LmhpZ2hzY2hvb2xoZWxwZXIub3JnMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAXqdz
+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFyRKKP1gAABAMARzBFAiBj
Vo3hgkLNSJBNdhiymhBkYym5sOaRqWswrQCZeRaX/AIhAJ/CqfyvYvtIudJ3fjaN
+eQFm24CE+MmUql+4Q6vNV7dAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6
GmnTohwAAAFyRKKP/QAABAMASDBGAiEAlVvbTUpmGlXE6ARMENw3oIAlzoacBlG6
ZgNRinb3SuUCIQCcaqd5cDIKlFY00rQ3A/CiLkRJsyLu7SGRtWd2SbtTyDANBgkq
hkiG9w0BAQsFAAOCAQEAbFJFXt7rhu6cftRhLF+8sC8+Iv8qL0qVAjFfyckz1QpT
mqKMPpi56sLc25HI4BxOlCh7HBbD4qu/G/PFWaihSkzOWqub9PkcgbxaK4TKWJr8
LYWYv+PxmtbTeA9bNeMxPMuL4KraOog6XyI4gxjP0Pa+vONjrDsCBnO5ZuskbkK4
2MqNbVQT4W0Arx51ZP4uaNZYZHPtr0aByn6KF5KPP/TTA+V5T8yKFCzBpHm33g7n
bk3RDQeqpiFdCwXc7mkZRpj+o+SM4WfBXp399mGoGkBjh73n9k4L2PCwY6nt5sgB
NXW14dJwThtD5llBdTlxbg/LlBp9y1gT5Je3F2IB6A==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

但我得到的是这个输出:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: 631192891A849CF47501DE858F83FF62B943199A
          Serial Number: 0486E5A1D0B9C6D97280AC24D47C6B552370
    Request Extensions:
        OCSP Nonce:
            0410193D65F8B1D045055EE5862101F61D02
Responder Error: unauthorized (6)
ssl openssl ocsp

2 个回答

  1. Best Answer

    您的输入文件包含两个证书:首先是叶证书,其次是链证书。-issuer链证书是叶子证书的颁发者,因此如果要检查叶子证书(-cert参数),则需要将其用于参数。

    只是,您为颁发者和证书提供相同的文件。在这两种情况下,它都会从文件中取出第一个证书,这意味着它将为颁发者和证书使用相同的证书——这是错误的。要解决此问题,请将您的文件分成两部分:将第一个证书放入cert.pem,第二个放入issuer.pem,然后重试:

    $ openssl ocsp -issuer issuer.pem -cert cert.pem \
    -text -url http://ocsp.int-x3.letsencrypt.org  -header "HOST" "ocsp.int-x3.letsencrypt.org"

...
OCSP Response Data:
    ...
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    ...
    Cert Status: good
    This Update: May 24 03:00:00 2020 GMT
    Next Update: May 31 03:00:00 2020 GMT
    • 2

  2. 除了 Steffen 使用 OCSP 的回答之外,您还可以使用 Certificate Transparency Logs 搜索界面,该界面存储来自任何公共 CA 的所有证书及其吊销状态。

    如果您使用https://crt.sh/?q=highschoolhelper.org搜索,您将获得 7 个证书:

    crt.sh ID    Logged At  ⇧   Not Before  Not After   Matching Identities     Issuer Name
2848441767  2020-05-24  2020-05-24  2020-08-22  highschoolhelper.org
                                                www.highschoolhelper.org    C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2850401771  2020-05-24  2020-05-24  2020-08-22  highschoolhelper.org    C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2849897415  2020-05-23  2020-05-23  2020-08-21  highschoolhelper.org    C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2845143222  2020-05-23  2020-05-23  2020-08-21  highschoolhelper.org    C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2844662744  2020-05-23  2020-05-23  2020-08-21  highschoolhelper.org    C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2753256176  2020-05-02  2020-05-02  2020-07-31  highschoolhelper.org
                                                mail.highschoolhelper.org
                                                www.highschoolhelper.org    C=US, ST=TX, L=Houston, O="cPanel, Inc.", CN="cPanel, Inc. Certification Authority"
2753256196  2020-05-02  2020-05-02  2020-07-31  highschoolhelper.org
                                                mail.highschoolhelper.org
                                                www.highschoolhelper.org    C=US, ST=TX, L=Houston, O="cPanel, Inc.", CN="cPanel, Inc. Certification Authority"

    转储中的第一个证书具有:

            Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: May 24 02:03:23 2020 GMT
            Not After : Aug 22 02:03:23 2020 GMT
        Subject: CN=highschoolhelper.org

    所以这对应于上面的 ID 2850401771

    转到https://crt.sh/?id=2850401771它尚未标记为已撤销(但将会):

    证书 2850401771 吊销状态

    除非您单击 OCSP 附近的“检查”,否则您会得到:

    OCSP 检查后的证书 2850401771 吊销状态

    • 1

相关问题