On Wed, Sep 04, 2019 at 12:33:27PM -0000, David Etchen via FreeIPA-users wrote: > Hi Guys, > > I have a 2 host basic IPA setup both IPA servers are running dns & > ca. I'm running on Centos 7.6 using freeipa version 4.6.4 & > dogtag version 10.5.9 > > I've made a subCA called vpnca and a certificate policy and all > this is working fine with the exception of OCSP on the 2nd IPA > box. > > The original master works fine and issues OCSP responses for > certifcates issued by the vpnca (subCA) however the replica IPA > box fails to respond. > > I've had a look through the logs and found in the > /var/log/pki/pki-tomcat/ca/debug log an error on the 2nd box when > doing an OCSP request against it for a certificate issued by the > subCA. I should note here that OCSP requests for certificates > issued by the main IPA CA work fine it's only for ones issued by > the subCA on the replica that seem to be broken. > > I have also spotted the 2nd IPA server complaining that is can't > get caSigningCert > [04/Sep/2019:13:24:01][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: > Running ExternalProcessKeyRetriever > [04/Sep/2019:13:24:01][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: > About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, > caSigningCert cert-pki-ca dd4ea812-c044-41c0-93bf-ec376c732c93, > man-fb-ipa-01.testhost.com] > [04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: > Failed to retrieve key from any host. > [04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: > KeyRetriever did not return a result. > [04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]: > Retrying in 1946 seconds > > I'm presuming this is the reason OCSP is failing as it can't sign > the response for the subCA? > > Does anyone know if this is a known issue or if there is something > I need to modify to get the OCSP working on the replica host? > > Any help would be greatly appreciated > > Thanks > Dave > Hi Dave,
Indeed OCSP is failing because the key is not presence (certificate issuance using the sub-CA will also fail on the replica). So we must investigate why key replication is failing. When a sub-CA is created, replicas contact the Custodia service on the master and request the key. First, restart the ipa-custodia service on the master (maybe it is not working properly and a restart will resolve it). You may wish to restart the pki-tomcatd@pki-tomcat service on the *replica* too, because sub-CA key replication attempts use exponential backoff (I see from the log it was up to 1946 seconds). If key replication is still failing have a look at the journal and the httpd logs on the *master* for clues. HTH, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org