After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP responder" 
with the following command.  I can confirm certificate with serial 0x14 is 
present in the system and is not expired/revoked, etc.  I'm a bit nervous 
about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output 
below.

# /usr/bin/openssl ocsp \
  -issuer /etc/ipa/ca.crt \
  -nonce \
  -CAfile /etc/ipa/ca.crt \
  -url "http://ipa-ca.example.com/ca/ocsp"; \
  -serial 0x14

# rpm -q freeipa-server pki-server
freeipa-server-4.3.1-1.fc24.x86_64
pki-server-10.3.3-1.fc24.noarch

# tail -f /var/log/pki/pki-tomcat/ca/debug
CMSServlet:service() uri = /ca/ocsp
CMSServlet: caOCSP start to service.
IP: 10.77.79.198
CMSServlet: no authMgrName
CMSServlet: in auditSubjectID
CMSServlet: auditSubjectID auditContext {locale=en_US, ipAddress=10.77.79.198}
CMSServlet auditSubjectID: subjectID: null
CMSServlet: in auditGroupID
CMSServlet: auditGroupID auditContext {locale=en_US, ipAddress=10.77.79.198}
CMSServlet auditGroupID: groupID: null
checkACLS(): ACLEntry expressions= ipaddress=".*"
evaluating expressions: ipaddress=".*"
evaluated expression: ipaddress=".*" to be true
DirAclAuthz: authorization passed
SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS

In LdapBoundConnFactory::getConn()
masterConn is connected: true
getConn: conn is connected true
getConn: mNumConns now 2
returnConn: mNumConns now 3
SignedAuditEventFactory: create() message created for eventType=ROLE_ASSUME

Servlet Path=/ocsp
RequestURI=/ca/ocsp
PathInfo=null
Method=POST
In LdapBoundConnFactory::getConn()
masterConn is connected: true
getConn: conn is connected true
getConn: mNumConns now 2
returnConn: mNumConns now 3
OCSPServlet: Could not locate issuing CA
CMSServlet.java: renderTemplate
CMSServlet: curDate=Mon Jul 25 17:12:11 CDT 2016 id=caOCSP time=50


-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
F9B6 560E 68EA 037D 8C3D  D1C9 FF31 3BDB D9D8 99B6

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to