I compile the new version 0.6.4, i am happy to see the all corrected bugs ! thanks !
but now, auto-reload don't want to work at all.
after the second time reloading CRL, father process die, and child become their own father.
So, my deamon isn't stable....
perhaps i misconfigured my ocsp.conf...
but, doc about CRL update via LDAP is very light...
For example if i don't add :
ca_url = file:////usr/local/openca-ocspd/etc/ocspd/certs/myCaCert.pem
in my dbms_ldap section OCPS respond : "request for non reckognized CA" .... when i try make a good request.
But, with that, OCSP won't start in -v verbose mode ... Segmentation Fault .... without -v ocsp work...
strange...
If anyone give me a working and stable example of LDAP configuration ?
Log :
ps -ef | grep openca
root 686 679 0 17:19:37 pts/1 0:00 /usr/local/openca-ocspd/sbin/openca-ocspd -c /usr/local/openca-ocspd/etc/ocspd/
root 685 679 0 17:19:37 pts/1 0:00 /usr/local/openca-ocspd/sbin/openca-ocspd -c /usr/local/openca-ocspd/etc/ocspd/
root 687 679 0 17:19:37 pts/1 0:00 /usr/local/openca-ocspd/sbin/openca-ocspd -c /usr/local/openca-ocspd/etc/ocspd/
root 679 1 0 17:16:16 pts/1 0:00 /usr/local/openca-ocspd/sbin/openca-ocspd -c /usr/local/openca-ocspd/etc/ocspd/
Next CRL reload : (childs are sill operational but without father process... )
ps -ef | grep openca
root 686 1 0 17:19:37 pts/1 0:00 /usr/local/openca-ocspd/sbin/openca-ocspd -c /usr/local/openca-ocspd/etc/ocspd/
root 685 1 0 17:19:37 pts/1 0:00 /usr/local/openca-ocspd/sbin/openca-ocspd -c /usr/local/openca-ocspd/etc/ocspd/
root 687 1 0 17:19:37 pts/1 0:00 /usr/local/openca-ocspd/sbin/openca-ocspd -c /usr/local/openca-ocspd/etc/ocspd/
one of my ocspd.conf :
[ ocspd ]
default_ocspd = OCSPD_default # The default ocspd section
####################################################################
[ OCSPD_default ]
dir = /usr/local/openca-ocspd//etc/ocspd # Where everythi
ng is kept
db = $dir/index.txt # database index file.
md = sha1
ca_certificate = $dir/certs/MyCaCert.pem # The CA certificate
ocspd_certificate = $dir/certs/MyServerCert.pem # The OCSP server cert
ocspd_key = $dir/private/MyServer.key # The OCSP server key
pidfile = $dir/ocspd.pid # Main process pid
#user = ocspd ----> ocspd won't start with another user like root ... on solaris, it'sn't able to etup the socket... ?
user = root
group = daemon
bind = 57.250.227.100
port = 80
max_req_size = 8192
#crl_auto_reload = 3600
crl_auto_reload = 400
#crl_check_validity = 600
crl_check_validity = 100
crl_reload_expired = yes
response = ocsp_response
dbms = dbms_ldap
####################################################################
[ ocsp_response ]
dir = /usr/local/openca-ocspd//etc/ocspd
ocsp_add_response_certs = $dir/certs/chain_certs.pem
ocsp_add_response_keyid = yes
next_update_days = 0
next_update_mins = 0
####################################################################
[ dbms_ldap ]
0.ca = @ldap_ca_1
[ ldap_ca_1 ]
crl_url = ldap://myldap.net:389
crl_entry_dn = "o=MYOrg"
crl_entry_attribute = "certificateRevocationList;binary"
ca_url = file:////usr/local/openca-ocspd/etc/ocspd/certs/myCaCert.pem
ca_entry_dn = "o=MYOrg"
Yann
