On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote:
> On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote:
> > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP 
> > responder" 
> > with the following command.  I can confirm certificate with serial 0x14 is 
> > present in the system and is not expired/revoked, etc.  I'm a bit nervous 
> > about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output 
> > below.
> > 
> > # /usr/bin/openssl ocsp \
> >   -issuer /etc/ipa/ca.crt \
> >   -nonce \
> >   -CAfile /etc/ipa/ca.crt \
> >   -url "http://ipa-ca.example.com/ca/ocsp"; \
> >   -serial 0x14
> > 
> > # rpm -q freeipa-server pki-server
> > freeipa-server-4.3.1-1.fc24.x86_64
> > pki-server-10.3.3-1.fc24.noarch
> > 
> Hi Anthony,
> 
> I wrote this code and I think I know what the issue is.  Could you
> please execute `pki-server db-upgrade -v` as root, then try the OCSP
> request again?
> 
> If it works, happy day for you, and for me too because it confirms
> the issue which I must fix :)
> 
On further investigation, what I thought was the problem cannot be
the problem.  No need to follow my earlier suggestion.

But I found (and fixed) something else.  Would you be willing to try
my COPR build[1]?  It contains the linked patch[2] plus whatever is
between your installed pki version and the Dogtag master branch at
a307cf68e91327ddbef4b9d7e2bbd3991354831f.

[1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/
[2] 
https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-CA-OCSP-responder-when-LWCAs-are-not-in-use.patch

Alternatively, you can apply the patch and build Dogtag yourself
(if, e.g., you do not trust my COPR packages, which is fair enough
^_^)

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to