On ma, 14 loka 2019, Kevin Vasko wrote:
Welp, I'm an idiot and you are completely 100% correct.
It was indeed revoked, but the http servers certificate was revoked
and not the client..which is where I was focusing 100% of my
debugging. Which clears up a LOT of things. I originally was loading
the ca.crt on an Ubuntu machine a few days prior to this and it was
working completely fine. After a few days I was getting the
"SEC_ERROR_REVOKED_CERTIFICATE" when I went back to try it again.
However, what doesn't make sense to me is all of the commands I was
running to check the certs were telling me that the certs were 100%
okay and not revoked...
I ran this command which is supposedly supposed to tell me if my cert
is okay with OCSP
openssl ocsp -issuer /etc/ipa/ca.crt -cert /etc/ipa/ca.crt -text -url
http://ipa-ca.exmple.com/ca/ocsp -header "HOST" "ipa.exmple.com"
I was getting a
-----END CERTIFICATE-----
Response verify OK
/etc/ipa/ca.crt: good
And there was nothing in the result saying that it was expired on my
client machines.
CA certificate is not revoked, service certificate is. So you are
verifying status of a wrong certificate in the command above.
Can you maybe describe the appropriate way to debug this in the
future? I was obviously doing it incorrectly. Which CA logs are you
meaning? Are you meaning on the freeIPA servers? Are you meaning the
http service itself? Where are you meaning "present in OCSP"? The key
to this was my seeing the certificates for the http/service not
showing up in the FreeIPA server UI. Once I recreated the http/service
certificate the Firefox error went away.
Since I don't know what your setup is
(are you using integrated CA or
you are trying to use some external CA?), I was trying to give a generic
answer that would be valid in both cases.
There is no need to revoke IPA services certificates in the course of
normal action. So I guess you did that by your explicit act.
FreeIPA CA (Dogtag) is automatically maintaining its OCSP responder.
This means when you revoke a certificate, it is added to OCSP at next
synchronization point in time. After that 'openssl ocsp' command would
be able to see it is revoked. However, you need to test the right
certificate -- instead of passing '-cert /etc/ipa/ca.crt', you need to
pass the cert you want to test for revokation.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland