[Freeipa-users] "Could not locate issuing CA" when querying OCSP responder
Fraser Tweedale
ftweedal at redhat.com
Tue Jul 26 04:40:38 UTC 2016
On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote:
> On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote:
> > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder"
> > with the following command. I can confirm certificate with serial 0x14 is
> > present in the system and is not expired/revoked, etc. I'm a bit nervous
> > about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output
> > below.
> >
> > # /usr/bin/openssl ocsp \
> > -issuer /etc/ipa/ca.crt \
> > -nonce \
> > -CAfile /etc/ipa/ca.crt \
> > -url "http://ipa-ca.example.com/ca/ocsp" \
> > -serial 0x14
> >
> > # rpm -q freeipa-server pki-server
> > freeipa-server-4.3.1-1.fc24.x86_64
> > pki-server-10.3.3-1.fc24.noarch
> >
> Hi Anthony,
>
> I wrote this code and I think I know what the issue is. Could you
> please execute `pki-server db-upgrade -v` as root, then try the OCSP
> request again?
>
> If it works, happy day for you, and for me too because it confirms
> the issue which I must fix :)
>
On further investigation, what I thought was the problem cannot be
the problem. No need to follow my earlier suggestion.
But I found (and fixed) something else. Would you be willing to try
my COPR build[1]? It contains the linked patch[2] plus whatever is
between your installed pki version and the Dogtag master branch at
a307cf68e91327ddbef4b9d7e2bbd3991354831f.
[1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/
[2] https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-CA-OCSP-responder-when-LWCAs-are-not-in-use.patch
Alternatively, you can apply the patch and build Dogtag yourself
(if, e.g., you do not trust my COPR packages, which is fair enough
^_^)
Thanks,
Fraser
More information about the Freeipa-users
mailing list