Bug 221950 - www/nghttp2 OCSP Stapling error when checking certificates
Summary: www/nghttp2 OCSP Stapling error when checking certificates
Status: Closed Not Enough Information
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Sunpoet Po-Chuan Hsieh
Depends on:
Reported: 2017-08-31 03:37 UTC by Rob Belics
Modified: 2020-04-25 14:28 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)


Note You need to log in before you can comment on or make changes to this bug.
Description Rob Belics 2017-08-31 03:37:21 UTC
When running nghttpx as a front end proxy and OCSP Stapling is attempted, an error "ocsp query command for /../../cert.pem failed: error=0, rstatus=100, status=1" This happens because a Python script, /usr/local/share/nghttpx/fetch-ocsp-response, is executed to check ssl certificates.

The problem: the script is missing the #!/usr/bin/env on the first line of the file. 

The fix: I do not know how to create a portable version but inserting '#!/usr/bin/env python2.7' on the first line removed the erros and OCSP stapling is working for me now.
Comment 1 Rob Belics 2017-08-31 21:39:10 UTC
Unless I'm misinterpreting things, all the python files in / and /python/ are set to use "python"
Comment 2 Sunpoet Po-Chuan Hsieh freebsd_committer 2017-09-11 11:30:15 UTC
This script is installed to DATADIR which is not intended to run directly. I removed the shebang to avoid unnecessary python dependency.
Comment 3 Rob Belics 2017-09-11 14:07:43 UTC
OCSP Stapling is not possible unless this script is executed by Python. The script is pointless otherwise. Can nothing be done about it?
Comment 4 Gleb Popov freebsd_committer 2020-04-25 12:59:33 UTC
Rob, if it is still relevant for you, can you provide some more info or reproduction steps?

What sunpoet@ says is that nghttp2 installs this script into data dir, which shouldn't contain executables. In other words, this script should be run by user somehow.

How are you doing it?
Comment 5 Rob Belics 2020-04-25 14:17:51 UTC
(In reply to Gleb Popov from comment #4)

I do not recall how I was using this back then. I only recall that my program used nghttp2 as a proxy to nginx, I think. I was only experimenting with how to use nghttp2. My first post shows all I remember to make it work. I haven't taken the time to understand the reasoning from @sunpoet or what would need to be changed on my end to solve the problem. I could not immediately find my test code from back then but will continue to search for it this weekend as time permits.

I have not tried to use nghttp2 since back then but intend to do so if I ever find the time.
Comment 6 Gleb Popov freebsd_committer 2020-04-25 14:28:48 UTC
I will close this as "Not enough information", then. Feel free to open another PR, if you bump into this again.

You can also add me to CC in this case.