|
Hello, I have a problem using the ocspd server v 1.1.0a. The server keep responding trylater when I send an ocsp request. I use a debian distribution. I install the ocsp server, using the archive OpenCA-OCSPD-1.1.0-pre1.tar.gz.
I run ./configure –-disable-openldap for the installation. I start the server using the command line ocspd -v -c /etc/ocspd/ocspd.conf Everything seems ok. OpenCA's OCSP Responder (c) 2002-2004 by Massimiliano Pala and OpenCA Group OpenCA licensed software The corresponding sequence in the file /var/log/daemon/log is Dec 6 11:11:00 purpledev ocspd[703]: OpenCA
OCSPD v1.1.0a - starting. Dec 6 11:11:00 purpledev ocspd[703]: Using
configuration from /etc/ocspd/ocspd.conf Dec 6 11:11:00 purpledev ocspd[703]: section
set to OCSPD_default Dec 6 11:11:00 purpledev ocspd[703]: reading
certificate file (//etc/ocspd/certs/ocspd_cert.pem). Dec 6 11:11:00 purpledev ocspd[703]: Reading
Private Key file //etc/ocspd/private/ocspd_key.pem Dec 6 11:11:00 purpledev ocspd[703]: reading
CA certificate file. Dec 6 11:11:00 purpledev ocspd[703]: OCSP
Daemon setup completed Dec 6 11:11:00 purpledev ocspd[703]: variable
lookup failed for OCSPD_default::max_childs_num Dec 6 11:11:00 purpledev ocspd[703]: Auto CRL
reload every 3600 secs Dec 6 11:11:00 purpledev ocspd[703]: Reload
on expired CRLs DISABLED Dec 6 11:11:00 purpledev ocspd[703]: Number of
CAs in configuration is 1 Dec 6 11:11:00 purpledev ocspd[703]: CA CERT
for first_ca loaded successfully. Dec 6 11:11:00 purpledev ocspd[703]: CA List
Entry added (CA list num 0) Dec 6 11:11:00 purpledev ocspd[703]: CRL is
in PEM format Dec 6 11:11:00 purpledev ocspd[703]: CRL
loaded [ first_ca ] Dec 6 11:11:00 purpledev ocspd[703]: CRL and
CA cert [0:1] check ok Dec 6 11:11:00 purpledev ocspd[703]: CRL
matching CA cert ok [ 1 ] Dec 6 11:11:00 purpledev ocspd[703]: 1 CRL
Entries [ first_ca ] Dec 6 11:11:00 purpledev ocspd[703]: CRL
loaded successfully [first_ca] Dec 6 11:11:00 purpledev ocspd[703]: variable
lookup failed for ocsp_response::ocsp_add_response_certs Dec 6 11:11:00 purpledev ocspd[703]: CRL
validity check every 0 sec. Dec 6 11:11:00 purpledev ocspd[703]:
Configuration loaded and parsed Dec 6 11:11:00 purpledev ocspd[703]:
Successfully binded to *:8888 Dec 6 11:11:00 purpledev ocspd[703]:
Pre-Spawning 5 processes (live 0) Dec 6 11:11:00 purpledev ocspd[703]: Add
Child to List child [704] Dec 6 11:11:00 purpledev ocspd[703]: Add
Child to List child [705] Dec 6 11:11:00 purpledev ocspd[703]: Add
Child to List child [706] Dec 6 11:11:00 purpledev ocspd[703]: Add
Child to List child [707] Dec 6 11:11:00 purpledev ocspd[703]: Add Child
to List child [708] Dec 6 11:11:00 purpledev ocspd[703]:
server.c:804 Active Childrens [ 5 ] But when I try to send an ocsp request (using openssl), the answer is
always trylater) [EMAIL PROTECTED]:openssl ocsp -issuer
/etc/ocspd/certs/cacert.pem -cert certTest.pem -url http://localhost:8888/
-resp_text -respout ./ocspResp.der -CApath ./trusted openssl@purpledev:/openssl/test$ ./mkOcspRequest.sh
intermediate/certs/example.cert.pem Responder Error: trylater (3) The corresponding sequence in the file /var/log/daemon/log is Dec 6 11:12:00 purpledev ocspd[704]: request
for certificate serial 2 Here is my configuration file ocspd.conf. [ ocspd ] default_ocspd =
OCSPD_default # The default
ocspd section [ OCSPD_default ] dir
= //etc/ocspd # Where
everything is kept db
= $dir/index.txt # database index file. md =
sha1 ca_certificate =
$dir/certs/cacert.pem # The CA certificate ocspd_certificate = $dir/certs/ocspd_cert.pem #
The OCSP server cert ocspd_key =
$dir/private/ocspd_key.pem # The OCSP server key pidfile
= $dir/ocspd.pid #
Main process pid user =
ocspd group =
daemon bind =
* port =
8888 max_req_size =
8192 crl_auto_reload = 3600 crl_check_validity = 0 crl_reload_expired = no response = ocsp_response dbms =
dbms_file engine = off [ ocsp_response ] dir =
//etc/ocspd ocsp_add_response_certs = $dir/certs/chain_certs.pem ocsp_add_response_keyid = yes next_update_days = 0 next_update_mins = 5 [ dbms_file ] 0.ca = @first_ca [ first_ca ] crl_url = file://///etc/ocspd/crls/crl_01.pem ca_url = file://///etc/ocspd/certs/cacert.pem I’m confused because I can not have more logs… Is there a
problem in my configuration file? I wonder if it can be a problem with my certificates. Here is the
description of the files I use $dir/certs/cacert.pem is issued by a root CA. This intermediate CA has
signed the ocsp certificate $dir/certs/ocspd_cert.pem, and issued the CRL File /etc/ocspd/crls/crl_01.pem. Thanks in advance for your help. David ----------------------------------------- "Privileged/Confidential information may be contained in this e-mail and attachments. This e-mail, including attachments, constitutes non-public information intended to be conveyed only to the designated recipient(s). If you are not an intended recipient, please delete this e-mail, including attachments, and notify us immediately. The unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is prohibited and may be unlawful. In general, the content of this e-mail and attachments does not constitute any form of commitment by VIACCESS SA." ----------------------------------------- |
[Openca-Users] Problem ocspd : trylater
GUYOMARCH David Ext VIACCESS-DT Wed, 07 Dec 2005 01:51:08 -0800
- [Openca-Users] Problem ocspd : tryla... GUYOMARCH David Ext VIACCESS-DT
- Re: [Openca-Users] Problem ocsp... Massimiliano Pala
