[Freeipa-users] "Could not locate issuing CA" when querying OCSP responder
Anthony Joseph Messina
amessina at messinet.com
Mon Jul 25 22:23:31 UTC 2016
After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder"
with the following command. I can confirm certificate with serial 0x14 is
present in the system and is not expired/revoked, etc. I'm a bit nervous
about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output
below.
# /usr/bin/openssl ocsp \
-issuer /etc/ipa/ca.crt \
-nonce \
-CAfile /etc/ipa/ca.crt \
-url "http://ipa-ca.example.com/ca/ocsp" \
-serial 0x14
# rpm -q freeipa-server pki-server
freeipa-server-4.3.1-1.fc24.x86_64
pki-server-10.3.3-1.fc24.noarch
# tail -f /var/log/pki/pki-tomcat/ca/debug
CMSServlet:service() uri = /ca/ocsp
CMSServlet: caOCSP start to service.
IP: 10.77.79.198
CMSServlet: no authMgrName
CMSServlet: in auditSubjectID
CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.77.79.198}
CMSServlet auditSubjectID: subjectID: null
CMSServlet: in auditGroupID
CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.77.79.198}
CMSServlet auditGroupID: groupID: null
checkACLS(): ACLEntry expressions= ipaddress=".*"
evaluating expressions: ipaddress=".*"
evaluated expression: ipaddress=".*" to be true
DirAclAuthz: authorization passed
SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS
In LdapBoundConnFactory::getConn()
masterConn is connected: true
getConn: conn is connected true
getConn: mNumConns now 2
returnConn: mNumConns now 3
SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME
Servlet Path=/ocsp
RequestURI=/ca/ocsp
PathInfo=null
Method=POST
In LdapBoundConnFactory::getConn()
masterConn is connected: true
getConn: conn is connected true
getConn: mNumConns now 2
returnConn: mNumConns now 3
OCSPServlet: Could not locate issuing CA
CMSServlet.java: renderTemplate
CMSServlet: curDate=Mon Jul 25 17:12:11 CDT 2016 id=caOCSP time=50
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160725/7f8298f3/attachment.sig>
More information about the Freeipa-users
mailing list