Hey Rob, The directory is there but I don't remember to enable OCSP service. Here is the content of the directory
[root@login: ~]# ll /var/lib/pki/pki-tomcat/ocsp total 0 lrwxrwxrwx 1 pkiuser pkiuser 24 Feb 12 14:16 conf -> /etc/pki/pki-tomcat/ocsp lrwxrwxrwx 1 pkiuser pkiuser 28 Feb 12 14:16 logs -> /var/log/pki/pki-tomcat/ocsp lrwxrwxrwx 1 pkiuser pkiuser 36 Feb 12 14:16 registry -> /etc/sysconfig/pki/tomcat/pki-tomcat On Mon, Feb 24, 2025 at 4:49 PM Rob Crittenden <[email protected]> wrote: > Yavor Marinov via FreeIPA-users wrote: > > Hello all, > > > > I'm using FreeIPA 4.12 on AlmaLinux and since my certificates will > > expire soon on 18st of March, I had to check and renew them. But > > upon trying I saw that all tracked certificates are reporting that they > > couldn't connect to server. Further checking I've found that > > [email protected] is not running and the error which the > > service produces looking like this: > > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: ERROR: Error reading file > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': failed to load > > external entity "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: Traceback (most recent call last): > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line 41, in > > <module> > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: cli.execute(sys.argv) > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", line 144, > > in execute > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: super().execute(args) > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, in > execute > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: module.execute(module_args) > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/cli/migrate.py", line 98, > > in execute > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: instance.init() > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/instance.py", line 1124, in > > init > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: super().init() > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line 380, in > init > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: self.enable_subsystems() > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line 1256, in > > enable_subsystems > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: subsystem.enable() > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 685, in > > enable > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: self.instance.deploy_webapp( > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line 1011, in > > deploy_webapp > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: document = etree.parse(descriptor, parser) > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File "src/lxml/etree.pyx", line 3521, in > > lxml.etree.parse > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1862, in > > lxml.etree._parseDocument > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1888, in > > lxml.etree._parseDocumentFromURL > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1792, in > > lxml.etree._parseDocFromFile > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1180, in > > lxml.etree._BaseParser._parseDocFromFile > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 618, in > > lxml.etree._ParserContext._handleParseResultDoc > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 728, in > > lxml.etree._handleParseResult > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 655, in > > lxml.etree._raiseParseError > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > pki-server[1243031]: OSError: Error reading file > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': failed to load > > external entity "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > Any help will be much appreciated as I have to upgrade the certificates > > within a month. > > Did someone try to enable a standalone OCSP service? > > Does /var/lib/pki/pki-tomcat/ocsp exist? What's in it? > > rob > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
