On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > > responder" > > with the following command. I can confirm certificate with serial 0x14 is > > present in the system and is not expired/revoked, etc. I'm a bit nervous > > about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output > > below. > > > > # /usr/bin/openssl ocsp \ > > -issuer /etc/ipa/ca.crt \ > > -nonce \ > > -CAfile /etc/ipa/ca.crt \ > > -url "http://ipa-ca.example.com/ca/ocsp" \ > > -serial 0x14 > > > > # rpm -q freeipa-server pki-server > > freeipa-server-4.3.1-1.fc24.x86_64 > > pki-server-10.3.3-1.fc24.noarch > > > Hi Anthony, > > I wrote this code and I think I know what the issue is. Could you > please execute `pki-server db-upgrade -v` as root, then try the OCSP > request again? > > If it works, happy day for you, and for me too because it confirms > the issue which I must fix :) > On further investigation, what I thought was the problem cannot be the problem. No need to follow my earlier suggestion.
But I found (and fixed) something else. Would you be willing to try my COPR build? It contains the linked patch plus whatever is between your installed pki version and the Dogtag master branch at a307cf68e91327ddbef4b9d7e2bbd3991354831f.  https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/  https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-CA-OCSP-responder-when-LWCAs-are-not-in-use.patch Alternatively, you can apply the patch and build Dogtag yourself (if, e.g., you do not trust my COPR packages, which is fair enough ^_^) Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project