hi,
i use a fresh compiled OCSP serveur 0.6.2 on a Sun Solaris 8.
It's configured with a LDAP server to retrieve CRL , reloading crl work well. Revokation is ok on next crl_auto_reload.
But when my ldap crl expire (after all 24 H), OSCP server don't reload it correctly...
And says in log : CRL is EXPIRED [ ldap_ca_1 ]
Why ? Any suggestion ?
Yann
my OCSPd configuration file :
[ ocspd ]
default_ocspd = OCSPD_default # The default ocspd section
####################################################################
[ OCSPD_default ]
dir = /usr/local/openca-ocspd/etc/ocspd
db = $dir/index.txt # database index file.
md = sha1
ca_certificate = $dir/certs/MyCaCert.pem
ocspd_certificate = $dir/certs/OcspServer.pem
ocspd_key = $dir/private/OcspServer.key
pidfile = $dir/ocspd.pid
user = root
group = daemon
bind = *
port = 80
max_childs_num = 2
clients_per_server = 100
max_req_size = 8192
crl_auto_reload = 300
crl_check_validity = 200
crl_reload_expired = yes
response = ocsp_response
dbms = dbms_ldap
####################################################################
[ ocsp_response ]
dir = /usr/local/openca-ocspd/etc/ocspd
ocsp_add_response_certs = $dir/certs/chain_certs.pem
ocsp_add_response_keyid = yes
next_update_days = 0
next_update_mins = 0
####################################################################
[ dbms_ldap ]
0.ca = @ldap_ca_1
[ ldap_ca_1 ]
crl_url = ldap://mydap.pki.equant.net:389
crl_entry_dn = "o=Organization"
crl_entry_attribute = "certificateRevocationList;binary"
ca_url = file:////usr/local/openca-ocspd/etc/ocspd/certs/MyCaCert.pem
crl_entry_dn = "o=Organization"
####################################################################
