After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder" with the following command. I can confirm certificate with serial 0x14 is present in the system and is not expired/revoked, etc. I'm a bit nervous about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output below.
# /usr/bin/openssl ocsp \ -issuer /etc/ipa/ca.crt \ -nonce \ -CAfile /etc/ipa/ca.crt \ -url "http://ipa-ca.example.com/ca/ocsp"; \ -serial 0x14 # rpm -q freeipa-server pki-server freeipa-server-4.3.1-1.fc24.x86_64 pki-server-10.3.3-1.fc24.noarch # tail -f /var/log/pki/pki-tomcat/ca/debug CMSServlet:service() uri = /ca/ocsp CMSServlet: caOCSP start to service. IP: 10.77.79.198 CMSServlet: no authMgrName CMSServlet: in auditSubjectID CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.77.79.198} CMSServlet auditSubjectID: subjectID: null CMSServlet: in auditGroupID CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.77.79.198} CMSServlet auditGroupID: groupID: null checkACLS(): ACLEntry expressions= ipaddress=".*" evaluating expressions: ipaddress=".*" evaluated expression: ipaddress=".*" to be true DirAclAuthz: authorization passed SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS In LdapBoundConnFactory::getConn() masterConn is connected: true getConn: conn is connected true getConn: mNumConns now 2 returnConn: mNumConns now 3 SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME Servlet Path=/ocsp RequestURI=/ca/ocsp PathInfo=null Method=POST In LdapBoundConnFactory::getConn() masterConn is connected: true getConn: conn is connected true getConn: mNumConns now 2 returnConn: mNumConns now 3 OCSPServlet: Could not locate issuing CA CMSServlet.java: renderTemplate CMSServlet: curDate=Mon Jul 25 17:12:11 CDT 2016 id=caOCSP time=50 -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
signature.asc
Description: This is a digitally signed message part.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
