Thank you, Lutz, I have checked this - it is normal PEM formatted CRL. After upgrading to 1.1.1a version CRL via HTTP is working well. But...
It seems that OCSP server downloads CRLs in a little bit different way than wget. After some tests I discovered, that OpenCA OCSP server connects to HTTP resource not by name (i.e. http://www.company.com/crl/cacrl.crl), but by IP address, resolved from http host name (i.e. http://123.45.67.8/crl/cacrl.crl ). In my configuration I have several different websites on one IP, so webserver just do not know where to find this "/crl/cacrl.crl". I think it can be a bug, but I haven't checked newest version of OpenCA OCSP - 1.5.1. It is uses pthreads, but I just do not want to install something new on my old FreeBSD 4.11 machine. Can somebody test such CRL downloading configuration and write here the result? Regards, Dmitrij -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 16, 2007 10:05 PM To: [email protected] Subject: Re: [Openca-Users] OCSP configuration Dmitrij, can you have a look in your crl file after wget. is it still a valid crl format? Sometimes, depending on mime types, web server can give just a wrong format. Lutz > -----Ursprüngliche Nachricht----- > Von: Users' Help and Suggestions <[email protected]> > Gesendet: 16.05.07 13:36:33 > An: tips and discussions about OpenCA installation and management.'" > <[email protected]> > Betreff: [Openca-Users] OCSP configuration > > Hello all, > > I'm trying to little bit tune my OCSP server, based on OpenCA OCSP daemon and can not figure out why it does not work with CRL's via HTTP. > > In ocsp.conf file I can choose file://// , http:// and ldap:// variants for obtaining CRL. file://// is working quite well. Now I want to switch to http:// . After changing this line: > > crl_url = file:////usr/local/etc/ocspd/crl/cacrl.crl > > to this line: > > crl_url = http://crl.company.com/myca/cacrl.crl > (HTTP url is checked with wget - it is working.) > > I see some errors in ocsp log: > > May 16 14:01:25 srv041 ocspd[92530]: Error Loading CRL for [ q_vs_ca ] > May 16 14:01:25 srv041 ocspd[92530]: CRL loaded [ q_vs_ca ] May 16 > 14:01:25 srv041 ocspd[92530]: CRL missing May 16 14:01:25 srv041 > ocspd[92530]: CRL/CA check error [ q_vs_ca:-1 ] May 16 14:01:25 srv041 > ocspd[92530]: No Entries for CRL (@q_vs_ca) May 16 14:01:25 srv041 > ocspd[92530]: CRL loaded successfully [q_vs_ca] > > OCSP deamon version is 1.1.0. > > Sure I can update it to newest one, but maybe I just do something wrong with configuration? > > > Also it is interesting for is it possible to log not only startup/rehash events, but ocsp requests facts also? > > Regards, > > Dmitrij > > > ---------------------------------------------------------------------- > --- This SF.net email is sponsored by DB2 Express Download DB2 Express > C - the FREE version of DB2 express and take control of your XML. No > limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > _______________________________________________________________ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
