On Mon, Oct 14, 2019 at 05:50:47PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ma, 14 loka 2019, Kevin Vasko wrote: > > Welp, I'm an idiot and you are completely 100% correct. > > > > It was indeed revoked, but the http servers certificate was revoked > > and not the client..which is where I was focusing 100% of my > > debugging. Which clears up a LOT of things. I originally was loading > > the ca.crt on an Ubuntu machine a few days prior to this and it was > > working completely fine. After a few days I was getting the > > "SEC_ERROR_REVOKED_CERTIFICATE" when I went back to try it again. > > > > However, what doesn't make sense to me is all of the commands I was > > running to check the certs were telling me that the certs were 100% > > okay and not revoked... > > > > I ran this command which is supposedly supposed to tell me if my cert > > is okay with OCSP > > > > openssl ocsp -issuer /etc/ipa/ca.crt -cert /etc/ipa/ca.crt -text -url > > http://ipa-ca.exmple.com/ca/ocsp -header "HOST" "ipa.exmple.com" > > > > I was getting a > > > > -----END CERTIFICATE----- > > Response verify OK > > /etc/ipa/ca.crt: good > > > > And there was nothing in the result saying that it was expired on my > > client machines. > CA certificate is not revoked, service certificate is. So you are > verifying status of a wrong certificate in the command above. > > > Can you maybe describe the appropriate way to debug this in the > > future? I was obviously doing it incorrectly. Which CA logs are you > > meaning? Are you meaning on the freeIPA servers? Are you meaning the > > http service itself? Where are you meaning "present in OCSP"? The key > > to this was my seeing the certificates for the http/service not > > showing up in the FreeIPA server UI. Once I recreated the http/service > > certificate the Firefox error went away. > Since I don't know what your setup is (are you using integrated CA or > you are trying to use some external CA?), I was trying to give a generic > answer that would be valid in both cases. > > There is no need to revoke IPA services certificates in the course of > normal action. So I guess you did that by your explicit act. > > FreeIPA CA (Dogtag) is automatically maintaining its OCSP responder. > This means when you revoke a certificate, it is added to OCSP at next > synchronization point in time. > For clarification: under default configuration OCSP responses will immediately show that cert is revoked. CRL updates happen on a schedule (every 15 minutes by default).
There is a mode where OCSP reads from CRL cache, but this is not the default configuration. > After that 'openssl ocsp' command would > be able to see it is revoked. However, you need to test the right > certificate -- instead of passing '-cert /etc/ipa/ca.crt', you need to > pass the cert you want to test for revokation. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
