For some reason, an OpenSSL OCSP responder doesn't seem to deliver any responses for expired or revoked certificates. For valid certificates, everything is fine.
Tested this on LibreSSL 2.2.7 (on MacOS). For reference, I also tested this on the very old OpenSSL 0.9.8f, same issue.
Setup
File index.txt (Fields are tab separated):
V 20991231235959Z 32F31 unknown /CN=valid01
V 20991231235959Z 32F32 unknown /CN=valid02
V 20991231235959Z 32F33 unknown /CN=valid03
E 20171231235959Z 32F34 unknown /CN=expired01
E 20171231235959Z 32F35 unknown /CN=expired02
E 20171231235959Z 32F36 unknown /CN=expired03
R 20171231235959Z 20160631235959Z 32F37 unknown /CN=revoked01
R 20171231235959Z 20160631235959Z 32F38 unknown /CN=revoked02
R 20171231235959Z 20160631235959Z 32F39 unknown /CN=revoked03
V 20991231235959Z 32F3A unknown /CN=valid04
File index.txt.attr:
unique_subject = yes
File ca.pem:
(Please create your own, self-signed ca with key)
Start OCSP responder using
openssl ocsp -index index.txt -port 8084 -rkey ca.pem -rsigner ca.pem -CA ca.pem -text -resp_no_certs
Test
Query valid certificate (no problem here):
$ openssl ocsp -issuer ca.pem -serial 0x32f31 -url http://localhost:8084 -noverify
0x32f31: good
This Update: Sep 27 12:46:06 2018 GMT
Query expired or revoked certficate (misings response):
$ openssl ocsp -issuer ca.pem -serial 0x32f36 -url http://localhost:8084 -noverify
0x32f36: ERROR: No Status found.
What went wrong?
Found the issue. OpenSSL seems to require the timestamps in the index file to be in two-digit year form instead of four-digits. Year 2000 problem anyone? Apparently not.