Blackbox Debugging Linux Programs
While working out the way with OpenSSL I stumbled on several things.
Fortunately, I've come across this GitHub issue which mentioned one of the debugging utilities called strace.
strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. The operation of strace is made possible by the kernel feature known as ptrace.
Using strace is super-easy, simply append it in front of your command and run.
strace openssl ocsp -CAfile ca-chain-bundle.cert.pem -issuer ca-chain-bundle.cert.pem -cert bc-dev-cert-20201005.crt -url http://my-super-duper-website.com/api/certs/ocsp -resp_text -noverify
This will print out a lot of stuff.
Strace helped me find the reason why OpenSSL 1.0.2k OCSP request works within my machine, but fails with HTTP 503 code when targeting remote hosts.
Turns out OpenSSL uses IP (not Domain Name) of machine to make a HTTP requests. It happen that most of the web servers out there host multiple web apps on the same IP address.
To specify my website as a target, I had to set
Host header (which
openssl ocsp allows to do).
openssl ocsp -CAfile ca-chain-bundle.cert.pem -issuer ca-chain-bundle.cert.pem -cert bc-dev-cert-20201005.crt -url http://220.127.116.11/api/certs/ocsp -header "Host" "my-super-duper-website.com" -resp_text -noverify