On Wed, Sep 04, 2019 at 12:33:27PM -0000, David Etchen via
FreeIPA-users wrote:
Hi Guys,
I have a 2 host basic IPA setup both IPA servers are running dns &
ca. I'm running on Centos 7.6 using freeipa version 4.6.4 &
dogtag version 10.5.9
I've made a subCA called vpnca and a certificate policy and all
this is working fine with the exception of OCSP on the 2nd IPA
box.
The original master works fine and issues OCSP responses for
certifcates issued by the vpnca (subCA) however the replica IPA
box fails to respond.
I've had a look through the logs and found in the
/var/log/pki/pki-tomcat/ca/debug log an error on the 2nd box when
doing an OCSP request against it for a certificate issued by the
subCA. I should note here that OCSP requests for certificates
issued by the main IPA CA work fine it's only for ones issued by
the subCA on the replica that seem to be broken.
I have also spotted the 2nd IPA server complaining that is can't
get caSigningCert
[04/Sep/2019:13:24:01][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]:
Running ExternalProcessKeyRetriever
[04/Sep/2019:13:24:01][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]:
About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key,
caSigningCert cert-pki-ca dd4ea812-c044-41c0-93bf-ec376c732c93,
man-fb-ipa-01.testhost.com]
[04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]:
Failed to retrieve key from any host.
[04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]:
KeyRetriever did not return a result.
[04/Sep/2019:13:24:02][KeyRetrieverRunner-dd4ea812-c044-41c0-93bf-ec376c732c93]:
Retrying in 1946 seconds
I'm presuming this is the reason OCSP is failing as it can't sign
the response for the subCA?
Does anyone know if this is a known issue or if there is something
I need to modify to get the OCSP working on the replica host?
Any help would be greatly appreciated
Thanks
Dave
Hi Dave,
Indeed OCSP is failing because the key is not presence (certificate
issuance using the sub-CA will also fail on the replica). So we
must investigate why key replication is failing.
When a sub-CA is created, replicas contact the Custodia service on
the master and request the key. First, restart the ipa-custodia
service on the master (maybe it is not working properly and a
restart will resolve it). You may wish to restart the
pki-tomcatd@pki-tomcat service on the *replica* too, because sub-CA
key replication attempts use exponential backoff (I see from the log
it was up to 1946 seconds). If key replication is still failing
have a look at the journal and the httpd logs on the *master* for
clues.
HTH,
Fraser