On Mon, Oct 14, 2019 at 05:50:47PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 14 loka 2019, Kevin Vasko wrote:
> Welp, I'm an idiot and you are completely 100% correct.
>
> It was indeed revoked, but the http servers certificate was revoked
> and not the client..which is where I was focusing 100% of my
> debugging. Which clears up a LOT of things. I originally was loading
> the ca.crt on an Ubuntu machine a few days prior to this and it was
> working completely fine. After a few days I was getting the
> "SEC_ERROR_REVOKED_CERTIFICATE" when I went back to try it again.
>
> However, what doesn't make sense to me is all of the commands I was
> running to check the certs were telling me that the certs were 100%
> okay and not revoked...
>
> I ran this command which is supposedly supposed to tell me if my cert
> is okay with OCSP
>
> openssl ocsp -issuer /etc/ipa/ca.crt -cert /etc/ipa/ca.crt -text -url
>
http://ipa-ca.exmple.com/ca/ocsp -header "HOST"
"ipa.exmple.com"
>
> I was getting a
>
> -----END CERTIFICATE-----
> Response verify OK
> /etc/ipa/ca.crt: good
>
> And there was nothing in the result saying that it was expired on my
> client machines.
CA certificate is not revoked, service certificate is. So you are
verifying status of a wrong certificate in the command above.
> Can you maybe describe the appropriate way to debug this in the
> future? I was obviously doing it incorrectly. Which CA logs are you
> meaning? Are you meaning on the freeIPA servers? Are you meaning the
> http service itself? Where are you meaning "present in OCSP"? The key
> to this was my seeing the certificates for the http/service not
> showing up in the FreeIPA server UI. Once I recreated the http/service
> certificate the Firefox error went away.
Since I don't know what your setup is (are you using integrated CA or
you are trying to use some external CA?), I was trying to give a generic
answer that would be valid in both cases.
There is no need to revoke IPA services certificates in the course of
normal action. So I guess you did that by your explicit act.
FreeIPA CA (Dogtag) is automatically maintaining its OCSP responder.
This means when you revoke a certificate, it is added to OCSP at next
synchronization point in time.
For clarification: under default configuration OCSP responses will
immediately show that cert is revoked. CRL updates happen on a
schedule (every 15 minutes by default).
There is a mode where OCSP reads from CRL cache, but this is not the
default configuration.
> After that 'openssl ocsp' command would
> be able to see it is revoked. However, you need to test the right
> certificate -- instead of passing '-cert /etc/ipa/ca.crt', you need to
> pass the cert you want to test for revokation.