Well that’s the thing, I didn’t realize the service certificate was revoked as I thought
the entire point of validating the client cert was to validate the entire “chain” with
OCSP.
Im using IPAs internal cert system.
Yeah, I kept reissueing tickets when I was trying to get the post command script to work.
I guess in the process I deleted one to many certs and didn’t realize it.
So if I would have ran the command on the services cert I should have seen it’s revoked?
Is there a command to do exactly what FF is doing for OCSP to validate the cert? Or should
I just manually check each cert, client and service?
Thanks again for all of the help. I think at this point I’m wrapping my head around it at
least.
Now to go mess with Ubuntu to get Firefox to read those system certs since now I know
CentOS 100% works...
-Kevin
> On Oct 14, 2019, at 9:50 AM, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
>
> On ma, 14 loka 2019, Kevin Vasko wrote:
>> Welp, I'm an idiot and you are completely 100% correct.
>>
>> It was indeed revoked, but the http servers certificate was revoked
>> and not the client..which is where I was focusing 100% of my
>> debugging. Which clears up a LOT of things. I originally was loading
>> the ca.crt on an Ubuntu machine a few days prior to this and it was
>> working completely fine. After a few days I was getting the
>> "SEC_ERROR_REVOKED_CERTIFICATE" when I went back to try it again.
>>
>> However, what doesn't make sense to me is all of the commands I was
>> running to check the certs were telling me that the certs were 100%
>> okay and not revoked...
>>
>> I ran this command which is supposedly supposed to tell me if my cert
>> is okay with OCSP
>>
>> openssl ocsp -issuer /etc/ipa/ca.crt -cert /etc/ipa/ca.crt -text -url
>>
http://ipa-ca.exmple.com/ca/ocsp -header "HOST"
"ipa.exmple.com"
>>
>> I was getting a
>>
>> -----END CERTIFICATE-----
>> Response verify OK
>> /etc/ipa/ca.crt: good
>>
>> And there was nothing in the result saying that it was expired on my
>> client machines.
> CA certificate is not revoked, service certificate is. So you are
> verifying status of a wrong certificate in the command above.
>
>> Can you maybe describe the appropriate way to debug this in the
>> future? I was obviously doing it incorrectly. Which CA logs are you
>> meaning? Are you meaning on the freeIPA servers? Are you meaning the
>> http service itself? Where are you meaning "present in OCSP"? The key
>> to this was my seeing the certificates for the http/service not
>> showing up in the FreeIPA server UI. Once I recreated the http/service
>> certificate the Firefox error went away.
> Since I don't know what your setup is (are you using integrated CA or
> you are trying to use some external CA?), I was trying to give a generic
> answer that would be valid in both cases.
>
> There is no need to revoke IPA services certificates in the course of
> normal action. So I guess you did that by your explicit act.
>
> FreeIPA CA (Dogtag) is automatically maintaining its OCSP responder.
> This means when you revoke a certificate, it is added to OCSP at next
> synchronization point in time. After that 'openssl ocsp' command would
> be able to see it is revoked. However, you need to test the right
> certificate -- instead of passing '-cert /etc/ipa/ca.crt', you need to
> pass the cert you want to test for revokation.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland