in capi/lib/service/interpretation.go [236:286]
func assertRevoked(cert model.CertificateResult, t CertType) (opinion model.Opinion) {
for _, response := range cert.OCSP {
if cert.Expiration.Status == expiration.Expired && response.Status == ocsp.Unauthorized && t != Root {
continue
}
if response.Status == ocsp.Revoked {
continue
}
if response.Error != "" {
interpretation := ""
switch response.Status {
case ocsp.CryptoVerifcationError:
interpretation = fmt.Sprintf("OCSP responder %s could not verify the provided chain at the %s. This is usually accompanied by a verification error thrown by certutil.", response.Responder, t)
case ocsp.BadResponse:
interpretation = fmt.Sprintf("OCSP responder %s gave a bad response for the %s.", response.Responder, t)
}
opinion.Errors = append(opinion.Errors, model.Concern{
Raw: response.Error,
Interpretation: interpretation,
Advise: cert.CrtSh,
})
} else {
opinion.Errors = append(opinion.Errors, model.Concern{
Raw: response.Status.String(),
Interpretation: fmt.Sprintf("%s is `%s` by OCSP responder %s", t, response.Status.String(), response.Responder),
Advise: cert.CrtSh,
})
}
}
for _, crlStatus := range cert.CRL {
if crlStatus.Status == crl.Unchecked {
continue
}
if crlStatus.Status != crl.Revoked {
opinion.Errors = append(opinion.Errors, model.Concern{
Raw: crlStatus.Error,
Interpretation: fmt.Sprintf("%s is not revoked by CRL endpoint %s", t, crlStatus.Endpoint),
Advise: cert.CrtSh,
})
}
if crlStatus.Error != "" {
opinion.Errors = append(opinion.Errors, model.Concern{
Raw: crlStatus.Error,
Interpretation: "An error occurred while retrieving the CRL. This is usually a networking error",
Advise: fmt.Sprintf("If this is a networking error, attempt to verify that CRL endpoint at %s is active and available", crlStatus.Endpoint),
})
}
}
return
}