[Freeipa-users] "Could not locate issuing CA" when querying OCSP responder
Fraser Tweedale
ftweedal at redhat.com
Tue Jul 26 03:45:20 UTC 2016
On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote:
> After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder"
> with the following command. I can confirm certificate with serial 0x14 is
> present in the system and is not expired/revoked, etc. I'm a bit nervous
> about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output
> below.
>
> # /usr/bin/openssl ocsp \
> -issuer /etc/ipa/ca.crt \
> -nonce \
> -CAfile /etc/ipa/ca.crt \
> -url "http://ipa-ca.example.com/ca/ocsp" \
> -serial 0x14
>
> # rpm -q freeipa-server pki-server
> freeipa-server-4.3.1-1.fc24.x86_64
> pki-server-10.3.3-1.fc24.noarch
>
Hi Anthony,
I wrote this code and I think I know what the issue is. Could you
please execute `pki-server db-upgrade -v` as root, then try the OCSP
request again?
If it works, happy day for you, and for me too because it confirms
the issue which I must fix :)
Thanks,
Fraser
More information about the Freeipa-users
mailing list