Re: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder
On Tue, Jul 26, 2016 at 05:16:34AM -0500, Anthony Joseph Messina wrote: > On Tuesday, July 26, 2016 2:40:38 PM CDT Fraser Tweedale wrote: > > On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > > > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > > > > responder" with the following command. I can confirm certificate with > > > > serial 0x14 is present in the system and is not expired/revoked, etc. > > > > I'm a bit nervous about the "OCSPServlet: Could not locate issuing CA" > > > > in the Dogtag output below. > > > > > > > > # /usr/bin/openssl ocsp \ > > > > > > > > -issuer /etc/ipa/ca.crt \ > > > > -nonce \ > > > > -CAfile /etc/ipa/ca.crt \ > > > > -url "http://ipa-ca.example.com/ca/ocsp"; \ > > > > -serial 0x14 > > > > > > > > # rpm -q freeipa-server pki-server > > > > freeipa-server-4.3.1-1.fc24.x86_64 > > > > pki-server-10.3.3-1.fc24.noarch > > > > > > Hi Anthony, > > > > > > I wrote this code and I think I know what the issue is. Could you > > > please execute `pki-server db-upgrade -v` as root, then try the OCSP > > > request again? > > > > > > If it works, happy day for you, and for me too because it confirms > > > the issue which I must fix :) > > > > On further investigation, what I thought was the problem cannot be > > the problem. No need to follow my earlier suggestion. > > > > But I found (and fixed) something else. Would you be willing to try > > my COPR build[1]? It contains the linked patch[2] plus whatever is > > between your installed pki version and the Dogtag master branch at > > a307cf68e91327ddbef4b9d7e2bbd3991354831f. > > > > [1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/ > > [2] > > https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-C > > A-OCSP-responder-when-LWCAs-are-not-in-use.patch > > > > Alternatively, you can apply the patch and build Dogtag yourself > > (if, e.g., you do not trust my COPR packages, which is fair enough > > ^_^) > > Your COPR repo with this patch fixes the OCSP responder issue. Thank you > Fraser. -A > Thank you for testing! Patch will now be reviewed by Dogtag team and hopefully we can get an official build out soon. Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder
On Tuesday, July 26, 2016 2:40:38 PM CDT Fraser Tweedale wrote: > On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > > > responder" with the following command. I can confirm certificate with > > > serial 0x14 is present in the system and is not expired/revoked, etc. > > > I'm a bit nervous about the "OCSPServlet: Could not locate issuing CA" > > > in the Dogtag output below. > > > > > > # /usr/bin/openssl ocsp \ > > > > > > -issuer /etc/ipa/ca.crt \ > > > -nonce \ > > > -CAfile /etc/ipa/ca.crt \ > > > -url "http://ipa-ca.example.com/ca/ocsp"; \ > > > -serial 0x14 > > > > > > # rpm -q freeipa-server pki-server > > > freeipa-server-4.3.1-1.fc24.x86_64 > > > pki-server-10.3.3-1.fc24.noarch > > > > Hi Anthony, > > > > I wrote this code and I think I know what the issue is. Could you > > please execute `pki-server db-upgrade -v` as root, then try the OCSP > > request again? > > > > If it works, happy day for you, and for me too because it confirms > > the issue which I must fix :) > > On further investigation, what I thought was the problem cannot be > the problem. No need to follow my earlier suggestion. > > But I found (and fixed) something else. Would you be willing to try > my COPR build[1]? It contains the linked patch[2] plus whatever is > between your installed pki version and the Dogtag master branch at > a307cf68e91327ddbef4b9d7e2bbd3991354831f. > > [1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/ > [2] > https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-C > A-OCSP-responder-when-LWCAs-are-not-in-use.patch > > Alternatively, you can apply the patch and build Dogtag yourself > (if, e.g., you do not trust my COPR packages, which is fair enough > ^_^) Your COPR repo with this patch fixes the OCSP responder issue. Thank you Fraser. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6 signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder
On Tue, Jul 26, 2016 at 01:45:19PM +1000, Fraser Tweedale wrote: > On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > > responder" > > with the following command. I can confirm certificate with serial 0x14 is > > present in the system and is not expired/revoked, etc. I'm a bit nervous > > about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output > > below. > > > > # /usr/bin/openssl ocsp \ > > -issuer /etc/ipa/ca.crt \ > > -nonce \ > > -CAfile /etc/ipa/ca.crt \ > > -url "http://ipa-ca.example.com/ca/ocsp"; \ > > -serial 0x14 > > > > # rpm -q freeipa-server pki-server > > freeipa-server-4.3.1-1.fc24.x86_64 > > pki-server-10.3.3-1.fc24.noarch > > > Hi Anthony, > > I wrote this code and I think I know what the issue is. Could you > please execute `pki-server db-upgrade -v` as root, then try the OCSP > request again? > > If it works, happy day for you, and for me too because it confirms > the issue which I must fix :) > On further investigation, what I thought was the problem cannot be the problem. No need to follow my earlier suggestion. But I found (and fixed) something else. Would you be willing to try my COPR build[1]? It contains the linked patch[2] plus whatever is between your installed pki version and the Dogtag master branch at a307cf68e91327ddbef4b9d7e2bbd3991354831f. [1] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/build/420751/ [2] https://fedorahosted.org/pki/attachment/ticket/2420/pki-ftweedal-0128-Fix-CA-OCSP-responder-when-LWCAs-are-not-in-use.patch Alternatively, you can apply the patch and build Dogtag yourself (if, e.g., you do not trust my COPR packages, which is fair enough ^_^) Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] "Could not locate issuing CA" when querying OCSP responder
On Mon, Jul 25, 2016 at 05:23:31PM -0500, Anthony Joseph Messina wrote: > After upgrading to FreeIPA 4.3.1, I am getting "Error querying OCSP > responder" > with the following command. I can confirm certificate with serial 0x14 is > present in the system and is not expired/revoked, etc. I'm a bit nervous > about the "OCSPServlet: Could not locate issuing CA" in the Dogtag output > below. > > # /usr/bin/openssl ocsp \ > -issuer /etc/ipa/ca.crt \ > -nonce \ > -CAfile /etc/ipa/ca.crt \ > -url "http://ipa-ca.example.com/ca/ocsp"; \ > -serial 0x14 > > # rpm -q freeipa-server pki-server > freeipa-server-4.3.1-1.fc24.x86_64 > pki-server-10.3.3-1.fc24.noarch > Hi Anthony, I wrote this code and I think I know what the issue is. Could you please execute `pki-server db-upgrade -v` as root, then try the OCSP request again? If it works, happy day for you, and for me too because it confirms the issue which I must fix :) Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project