[Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

Martin Kosek mkosek at redhat.com
Mon Sep 14 06:26:38 UTC 2015 

On 09/12/2015 09:51 AM, Natxo Asenjo wrote:
> On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo <natxo.asenjo at gmail.com>
> wrote:
> 
>> hi,
>>
>> In a test network I followed the procedure especified in
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
>> to migrate from a centos 6.7 ipa server to a new centos 7 ipa server.
>>
>> Everything went fine, I shutdown the centos 6.7 host and i can kinit to
>> the test realm like before with everything being handled by the centos 7.1
>> ipa server.
>>
>> Unfortunately, firefox is not loading the web ui with the message:
>>
>> An error occurred during a connection to kdc2.unix.domain.tld. The OCSP
>> server experienced an internal error. (Error code:
>> sec_error_ocsp_server_error)
>>
>>
>> Chrome works fine, it does not query the ocsp responder apparently. If I
>> turn off the ocsp queries in firefox, everything works.
>>
>> So how can I troubleshoot this? I have turned off the firewall in the
>> centos 7.1 hosts, selinux is permissive.
>>
> 
> ok, so I found something:
> 
>  $ openssl s_client -connect kdc2.unix.domain.tld:443 | openssl x509 -noout
> -text | grep -i ocsp
>                 OCSP - URI:http://kdc1.unix.domain.tld:80/ca/ocsp
> 
> so it's pointing to the centos 6.7 box, and that one is gone. That's why
> it's not working.
> 
> Shouldn't the certificates be modified or recreated when decommissioning
> replicas? I must have done something wrong when decommissioning the server
> ...
> 
> Anyway, I created an A record for kdc1 pointing to kdc2 and now it's
> working, but I wonder if this is the 'right' approach.

Hello Natxo,

During migration, certificates are not touched. This is a bug/deficiency in
FreeIPA in RHEL-6.x, it uses the issuing FreeIPA hostname as the CRL/OCSP contact.

This should be fully fixed in FreeIPA 3.2 or later, see upstream ticket (and
linked design page):
https://fedorahosted.org/freeipa/ticket/3547

In the RHEL-7 versions, certificates should be pointing to the joint name
"ipa-ca.DOMAIN" pointing to FreeIPA servers with CA.

What you can do now is to either keep the "A" record as you already have, or
alternatively you can re-issue certificates ("ipa-getcert resubmit") that are
pointing to the RHEL-6 machine.

HTH,
Martin

More information about the Freeipa-users mailing list