I don't know the safest way to address this. Someone tried to deploy a standalone OCSP server about two weeks ago based on the dates.
I'm guessing the installation failed. I wasn't able to add one to an IPA server on RHEL 9.5. There be dragons if you attempt the following. I'd recommend a full system backup prior to starting. Normally to remove a subsystem you'd run: pkidestroy -s OCSP -i pki-tomcat But that failed for me because there was no registry for the OCSP service (because installation failed). But still run it. It may do some things before it dies. Manually remove cruft left over: rm -rf /etc/pki/pki-tomcat/ocsp rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat/ocsp rm -rf /var/lib/pki/pki-tomcat/ocsp rm -rf /var/log/pki/pki-tomcat/ocsp Edit /etc/pki/pki-tomcat/server.xml Find certificateKeyAlias="sslserver" Replace sslserver with Server-Cert cert-pki-ca The CA at least starts now. I did a couple of test operations and things seem to be working ok but who knows for sure. rob Yavor Marinov wrote: > Hey Rob, > > The directory is there but I don't remember to enable OCSP service. Here > is the content of the directory > > [root@login: ~]# ll /var/lib/pki/pki-tomcat/ocsp > total 0 > lrwxrwxrwx 1 pkiuser pkiuser 24 Feb 12 14:16 conf -> > /etc/pki/pki-tomcat/ocsp > lrwxrwxrwx 1 pkiuser pkiuser 28 Feb 12 14:16 logs -> > /var/log/pki/pki-tomcat/ocsp > lrwxrwxrwx 1 pkiuser pkiuser 36 Feb 12 14:16 registry -> > /etc/sysconfig/pki/tomcat/pki-tomcat > > > > On Mon, Feb 24, 2025 at 4:49 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Yavor Marinov via FreeIPA-users wrote: > > Hello all, > > > > I'm using FreeIPA 4.12 on AlmaLinux and since my certificates will > > expire soon on 18st of March, I had to check and renew them. But > > upon trying I saw that all tracked certificates are reporting that > they > > couldn't connect to server. Further checking I've found that > > [email protected] is not running and the error which the > > service produces looking like this: > > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: ERROR: Error reading file > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': failed to load > > external entity "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: Traceback (most recent call last): > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line > 41, in > > <module> > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: cli.execute(sys.argv) > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", > line 144, > > in execute > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: super().execute(args) > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, > in execute > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: module.execute(module_args) > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/cli/migrate.py", line 98, > > in execute > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: instance.init() > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/instance.py", line > 1124, in > > init > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: super().init() > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > 380, in init > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: self.enable_subsystems() > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > 1256, in > > enable_subsystems > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: subsystem.enable() > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line > 685, in > > enable > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: self.instance.deploy_webapp( > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > 1011, in > > deploy_webapp > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: document = etree.parse(descriptor, parser) > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File "src/lxml/etree.pyx", line 3521, in > > lxml.etree.parse > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1862, in > > lxml.etree._parseDocument > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1888, in > > lxml.etree._parseDocumentFromURL > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1792, in > > lxml.etree._parseDocFromFile > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1180, in > > lxml.etree._BaseParser._parseDocFromFile > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 618, in > > lxml.etree._ParserContext._handleParseResultDoc > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 728, in > > lxml.etree._handleParseResult > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 655, in > > lxml.etree._raiseParseError > > Feb 24 14:01:22 login.example.net <http://login.example.net> > <http://login.example.net> > > pki-server[1243031]: OSError: Error reading file > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': failed to load > > external entity "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > Any help will be much appreciated as I have to upgrade the > certificates > > within a month. > > Did someone try to enable a standalone OCSP service? > > Does /var/lib/pki/pki-tomcat/ocsp exist? What's in it? > > rob > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
