[Freeipa-users] "Could not locate issuing CA" when querying OCSP responder
Anthony Joseph Messina
amessina at messinet.com
Tue Jul 26 10:16:34 UTC 2016
On Tuesday, July 26, 2016 2:40:38 PM CDT Fraser Tweedale wrote:
> On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote:
> > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote:
> > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP
> > > responder" with the following command. I can confirm certificate with
> > > serial 0x14 is present in the system and is not expired/revoked, etc.
> > > I'm a bit nervous about the "OCSPServlet: Could not locate issuing CA"
> > > in the Dogtag output below.
> > >
> > > # /usr/bin/openssl ocsp \
> > >
> > > -issuer /etc/ipa/ca.crt \
> > > -nonce \
> > > -CAfile /etc/ipa/ca.crt \
> > > -url "http://ipa-ca.example.com/ca/ocsp" \
> > > -serial 0x14
> > >
> > > # rpm -q freeipa-server pki-server
> > > freeipa-server-4.3.1-1.fc24.x86_64
> > > pki-server-10.3.3-1.fc24.noarch
> >
> > Hi Anthony,
> >
> > I wrote this code and I think I know what the issue is. Could you
> > please execute `pki-server db-upgrade -v` as root, then try the OCSP
> > request again?
> >
> > If it works, happy day for you, and for me too because it confirms
> > the issue which I must fix :)
>
> On further investigation, what I thought was the problem cannot be
> the problem. No need to follow my earlier suggestion.
>
> But I found (and fixed) something else. Would you be willing to try
> my COPR build[1]? It contains the linked patch[2] plus whatever is
> between your installed pki version and the Dogtag master branch at
> a307cf68e91327ddbef4b9d7e2bbd3991354831f.
>
> [1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/
> [2]
> https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-C
> A-OCSP-responder-when-LWCAs-are-not-in-use.patch
>
> Alternatively, you can apply the patch and build Dogtag yourself
> (if, e.g., you do not trust my COPR packages, which is fair enough
> ^_^)
Your COPR repo with this patch fixes the OCSP responder issue. Thank you
Fraser. -A
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160726/05aa7665/attachment.sig>
More information about the Freeipa-users
mailing list